A compact yet powerful hacking tool is making waves in the cybersecurity community. The emergence of Flipper Zero has raised concerns about the ease with which someone can exploit devices with weak security. The device remains legal and may be purchased online by anyone. However, the contention surrounding it has caused shipments to be seized in the United States and Brazil, and to get banned on Amazon. So, what makes it so controversial?
What looks like a kid’s toy at first glance, Flipper Zero is a pocket-sized device designed to emulate various wireless communication protocols, such as RFID, NFC, and Bluetooth. Simply put, it can read and interfere with wireless devices as well as act as one, such as a TV remote or USB keyboard. However, concerns are not only about the misuse of Flipper Zero. This open-source device, which comes in a compact build reminiscent of the Tamagotchi digital pet toy from the early 2000s, is a versatile hacking device with an advanced user interface.
Flipper has sparked debates about the ethical implications of such a powerful tool being readily available to the public. There have been numerous viral videos where Flipper was used to alter gas station signs, trigger announcements in stores, and control wireless projectors. It has been used to get into buildings, open car gates, copy remote control signals, and turn off screens in shopping malls and restaurants.
Flipper’s functionality allows it to interact with several signal types:
- Near field communication (NFC) signals, used in bank cards and building access cards.
- 125kHz RFID, used in older proximity cards and animal microchips.
- Infrared, used in many remote controls.
- Sub-1 GHz, used in garage door remotes and remote keyless systems.
To read a wireless signal, the user needs to hold the Flipper device in proximity to the source of the signal, use the buttons to select the program which corresponds to the signal type, and select “Read”. Flipper will then store the signal in its memory, allowing the user to emulate it, functioning as a single key for the air conditioner, garage door, and TV.
Flipper Zero has also been seen to emulate credit cards (magnetic stripes), hotel cards, copy car keys, and unlock password-protected phones on TikTok, with videos going viral and getting taken down every day. These attacks often utilize custom scripts or added features – therefore, additional technical development is necessary to break into a more complicated system when using a tool such as Flipper. Nearly all demonstrated attacks have only been successful against primitive or poorly protected devices.
“It’s a great conversation starter as it raises the awareness of such attacks in the general public, who are mostly unfamiliar with device vulnerabilities,” said Keysight Security Analyst Jetse Brouwer. “It can also serve as a great educational tool for developers that are just getting started with pen testing. However, I don’t see immediate security risks for consumers as long as they keep their firmware up to date and ensure the physical safety of the device. Device manufacturers keep on advancing their security measures and the vulnerabilities are found in the lab – with much more advanced and specialized testing setups”.
While most consumer devices are well-protected against Flipper-like attacks, this device offers an opportunity to discover what remains as a potential target. Flipper Zero can be used to break into devices with zero level of security. While traditionally, Keysight shows ways to break much more robust implementations, we should not forget that sooner rather than later any attack method becomes accessible to wider audiences. What is now on the edge of security expertise in 5 to 10 years becomes common knowledge. Making sure that your development is protected from the advanced threats of today means that tomorrow there will be fewer chances of being broken by a simple-but-smart, off-the-shelf security toy.