What is the Flipper Zero?

The Flipper Zero is a portable multi-tool with a tiny piece of hardware in a toy-like body. It’s described by its creators as having a “game-like interface with a curious personality of a cyber-dolphin”. Inspired by the pwnagotchi project, it was designed “with the convenience of everyday usage in mind”. It’s a combination of multiple hardware tools, with a simple interface which can be used to explore and interact with digital systems in real life.

Going Viral on TikTok

Recently, the Flipper Zero has gone viral on TikTok. Videos often depict the Flipper Zero unlocking doors, starting cars, and bypassing security systems (with disclaimers or not, depending on the video). This has fueled the perception of the Flipper Zero as a magical hacking tool – a portrayal that’s both a little scary and a little misleading.

And although many of the more concerning videos on TikTok, such as car thefts and stealing someone’s credit card information have been proven false – there are still some very serious security concerns surrounding the Flipper Zero.

What Can the Flipper Zero Really Do?

The Flipper Zero is basically a two-way remote control that can receive, read, store, and transmit a variety of wireless signals. It can be used to explore and hack digital stuff such as radio protocols, access control systems, RFID, hardware, and more.

Clone Keyless Entry Cards

One of the Flipper Zero’s key abilities is copying access cards and badges. Although it seems innocent enough to clone an apartment complex entry card or pool pass card to share access with a friend, it should be noted that these access controls are in place for a reason – to restrict access. The bigger security concern is that this device could allow someone to create a replica and gain unauthorized entry to buildings, secure facilities, or even bypass public transport fare systems. It highlights the vulnerability of outdated RFID and NFC technology, especially if proper encryption isn’t in place.

A Universal Remote / Remote Access

The Flipper Zero’s infrared transmitter can mimic remote controls. The Flipper uses ‘brute force’ to send its library of IR codes wherever you point it, so you could use it to control devices with an IR remote that’s in range. While there are more innocent uses, such as turning off your kids’ devices at bedtime or changing the channel on a tv at your neighborhood bar, there are some bigger security concerns with this capability. It could also be used to bypass a security gate or to clone someone’s garage door opener to gain unauthorized access to their home. (Although it would likely only work on older models since newer models use rolling codes, which this device wouldn’t work on.)

Access Bluetooth Communications

From wireless headphones, to connecting with our vehicle’s audio system, to wearing a smartwatch – most people are using Bluetooth connections on a daily basis and don’t think twice about the vulnerabilities. The Flipper Zero allows users to ‘bluejack’ a nearby device by pairing with it, then using ‘brute force’ to authenticate themselves. This could be used to potentially monitor a persons’ location. And more experienced hackers might be able to exploit vulnerabilities to take control of a device, eavesdrop on calls, or access stored data.

Security Concerns with the Flipper Zero

It’s important to remember that the Flipper Zero itself is just a tool. It’s creators have promoted ethical use and set clear guidelines for responsible hacking. App store add-ons also must adhere to a strict set of rules. In the hands of responsible researchers and security professionals, it can be a valuable asset for identifying and patching vulnerabilities. However, the ease of use and open-source nature of the Flipper Zero make it a tool that can easily be misused by those with malicious intent.

Device Accessibility

The Flipper Zero is currently available on the open market for anyone in the United States or Canada to purchase. Despite being banned from Amazon (for its credit card reader capabilities), it can easily be purchased online for under $200 USD.

Canada to Potentially Limit Device Availability to Legitimate Actors

The TikTok videos showing users opening car doors is rumored to have been the reason behind the ban on the Flipper Zero and similar devices announced by Canada’s Minister Innovation, Science, and Industry François-Philippe Champagne at the National Summit on Combatting Auto Theft earlier this year. He explained the ban by saying that “criminals have been using sophisticated tools, such as the Flipper Zero to steal cars. And Canadians are rightfully worried.”

The Canadian ban was initially announced as a total ban focused on completely stopping the importation, sale, and use of consumer hacking devices, like flippers. However, after significant backlash from the security industry and an online petition launched by Flipper Zero, Canada is now signaling it won’t fully ban the Flipper Zero. The Innovation, Science and Economic Development Canada (ISED) department has since clarified its stance on the issue, telling PCMag the intention is “to ban the illegitimate use of wireless devices used during car thefts. The intent is to move forward with measures to restrict the use of such devices to legitimate actors only, and therefore the importation, possession, sale, and use by illegitimate actors will not be permitted.” the department said in an email.  The agency is already working with Canadian companies, online retailers, and the automotive industry to address this issue and reportedly considering a licensing approach. An updated plan is scheduled to be released in winter 2024.

What Can Be Done to Enhance Security Measures?

The Flipper Zero is just one of many tools hackers have at their disposal. Companies and organizations need to be just as proactive about preventing intrusions – both physical and virtual. Companies need to take steps to harden their security measures. This includes using stronger encryption protocols for access control systems and implementing robust network security practices.

Schedule a Consultation with Engineering PLUS Security Experts

If your company or organization is concerned about potential security breaches, contact our team of security experts. We design multi-layered security systems and plans to protect against breaches. Our systems are easy to use and designed to meet your unique needs. And our team stays up to date on the latest tools and tech so that we know the best ways to defend against them.