Flipper Zero with its cute dolphin mascot looks like a Tamagotchi for hackers. Now, the seemingly innocent device is going viral on social media. The company itself claims the device is intended as a fun gadget for tech geeks and ethical hackers but the low price has seemingly made it a bit too accessible. One quick search on TikTok and you will find clips of people shutting off fast-food menus and playing arcade games for free.
What can the Flipper Zero do?
The Flipper Zero can read, copy, and emulate NFC, RFID, Infrared signals, iButton, and sub-gigahertz frequencies. That covers NFC-powered credit cards, RFID hotel card keys, TV remotes, car keys, and most wireless gadgets you can think of. That does sound quite scary and on top of that, the gadget is entirely legal.
The (good) limitations
It does however have limitations and is not as powerful as many social media clips make it out to be. Its range is limited and to read an NFC signal it has to be very close to the source to copy it. Credit cards are also encrypted so even if it does record its NFC signal it only gets the number and name on it, not the pin code and not the CVC key.
It also has built-in limitations that stop it from emulating what’s known as rolling codes, a system that for example modern car keys use. The company behind Flipper Zero has however admitted that there are some cars that use outdated security systems that can be cracked.
As far as RFID goes, if the data has encryption it’s entirely safe and the Flipper can’t read it, but old systems are still at risk.
The bad capabilities
While the Flipper Zero is relatively tame out of the box it turns out that is quite easy to modify. Both the hardware and software can be modified and added to which, unfortunately, some people have been taking advantage of. One example is the videos circulating of people changing the prices displayed on gas station signs. Another one is the modifications that let it set off customer service announcements in department stores.
Flipper Zero also has the ability to brute force simple RFID locks, this means it won’t even need to copy the original key. Luckily, more advanced RFID keys won’t read signals more than every few seconds which prevents brute force attacks. The scary part about this is that most hotels still use the simple version of RFID locks so anyone with a Flipper Zero could technically walk into your room.
Flipper Zero can spam attack smartphones
Another functionality that is less than ideal in some people’s hands. It can’t do this out of the box but by downloading third-party firmware, Flipper Zero can flood smartphones and other devices with Bluetooth messages. At first, the weakness was only exposed on iOS devices which can even be locked up completely by Bluetooth spam attacks.
Android users are a bit better off as the devices can’t (as of now) be completely locked. There will, however, be constant device pairing pop-ups that won’t stop until Bluetooth is turned off. Windows devices can be attacked in the same way as Android but the pop-ups won’t be nearly as annoying as the windows are smaller.
Not the only device available
Flipper Zero is in no way the only device that can be used for pranks or more malicious attacks. In fact, there have been plenty of gadgets like this around for a long time and many of them are much more powerful. What makes Flipper stand out is the packaging and the low price which has caused it to go viral. In other words, it doesn’t create a new threat but rather highlights security flaws that are already out there.
One can question if it’s appropriate that a device that can get you into someone else’s hotel room should be legal. Perhaps this might change and a ban might be on its way as U.S customs have already seized a shipment of Flipper Zeros.