RFID-controlled locks are widely used across the United States, and you may find one on your next hotel room’s door. Nearly twenty of these keyless entry systems, which are among the most common in the world, greeted me on my way to work the other day. However, a fun palm-sized device with a Tamagotchi-like interface may certainly bypass the locks on many of these doors.
Flipper Zero, available on Amazon for $200, is a pocket-sized pen-testing tool made for hackers of varying skill levels. It’s smaller than a phone, so it’s easy to hide, and it’s packed with a variety of radios and sensors that let you intercept and replay signals from keyless entry systems, Internet of Things sensors, garage doors, NFC cards, and pretty much any other device that communicates wirelessly over short ranges. For instance, I was able to successfully clone the signal of an RFID badge from my office, which was concealed in my wallet, using the Flipper Zero in a matter of seconds.
You may assume that Flipper Zero is a gadget that can make ATMs spew out money, cars unlock themselves, and gas spill out of pumps for free if you only heard about it on TikTok, where the tool has gone popular. This past week, I put one through its paces to see if the world really was as vulnerable to Flipper Zero as was being portrayed in the media.
While most modern wireless devices are not vulnerable to simple replay attacks, many of the most dramatic videos posted to TikTok are likely staged. However, the Flipper Zero is undeniably powerful, giving aspiring hackers and seasoned pen-testers a convenient new tool to probe the security of the world’s most ubiquitous wireless devices.
According to testimonials, Flipper Zero is to physical penetration testing what a Swiss Army knife is to other areas of expertise. But throughout the week I spent with Flipper Zero, I got the impression that it was more like a blacklight, illuminating details about the device’s inner workings, the data it was emitting, and how often it did so that were otherwise hidden from the naked eye.
This week, I’ve learned a few things with the help of Flipper Zero. The temperature of your pet can be displayed on some animal microchips. Anybody within range of the signal from my neighbor’s car tyre pressure sensor can read its contents.
Every few seconds, my iPhone sends an infrared signal straight into my face. My alarm system automatically detects when a transmission is being jammed. The soap dispenser in the WIRED office restroom will notify a staff member when it runs out of soap.
When I told Alex Kulagin, one of the designers of Flipper Zero, that I had used his tool to make such inconsequential observations, he said that this was its intended purpose. They aim to help you “understand something profoundly,” “examine how it works,” and “explore the wireless world” that is “all around you but tough to understand,” he says.
In 2019, Kulagin and his collaborator Pavel Zhovner conceived up Flipper Zero. As a result, they have hired roughly 50 people and sold 150,000 units. However, as they have expanded, they have run into some opposition. PayPal froze almost $1.3 million in payments last summer, and US Customs and Border Protection intercepted a shipment of gadgets in September.
Kulagin claims that CBP released the shipment after a month, but has not explained why it was delayed. In response to WIRED’s request for comment on the confiscated Flipper Zeros, CBP said they would not be providing any.
Highlighted Video
TOP RATED
Almost all the cards in a deck make into a home, displayed on a blue backdrop.
BUSINESS
Mastodon Is Rapidly Approaching a Critical Point
D. AMANDA HOOVER
Levels of greens growing under artificial light in an indoor vertical farm.
SCIENCE
The Vertical Farming System Discovered Its Lethal Weakness
R. MATTHEW REYNOLDS
In season 2 of White Lotus, Haley Lu Richardson and Leo Woodall are seen seated on a bench near the water.
CULTURE
What 2022 Was All About: That Eerie White Lotus Scene
SIR AMOS BARSHAD
A man’s scarf is blown off his neck as he struggles to free his automobile from a snowdrift in near-whiteout conditions.
SCIENCE
To Destroy Christmas, a Bomb Cyclone Is On Its Way
D. AMANDA HOOVER
Lieutenant Bob Zahreddine of the Glendale Police Department is also an executive officer with High Tech Crime Police, an organisation of law enforcement professionals that “connects cyber cops and investigators,” as stated on the organization’s website. According to Zahreddine, the fact that CBP is interested in Flipper Zero isn’t too shocking. Flipper Zero, he argues, “has the potential to be utilised in many forms of criminality” due to its high degree of customization.
Investigators can consult with one another and learn about the latest innovations in policing technology by subscribing to Zahreddine’s listserv. Even while he hasn’t heard any talk of Flipper Zero being used in any crimes on his listserv, he told WIRED that detectives there have been aware of the programme and tracking its progress since Kulagin and Zhovner started crowdfunding on Kickstarter.
One can very easily picture how someone may use this equipment to commit some sort of illegal act or even just some sort of petty mischief. With Flipper Zero, I was able to clone the office ID badge and even record the signal from my neighbor’s garage door opener as he pulled into his driveway. My Flipper Zero could read my credit card number through my wallet and jeans, and it could probably unlock older autos that don’t employ rolling code encryption.
Yet Kulagin seems unconcerned that his invention could be used for evil. There are, without a doubt, classic automobiles that Flipper can easily damage. But they’re not safe, and that’s not Flipper’s fault,” he continues. It’s important to remember that malicious actors can use any available computer to commit crimes. We have no intention of breaking the law.
That’s why the stock firmware on every Flipper Zero is designed to prevent users from broadcasting on frequencies that are unlawful in their country, and the official Flipper Zero Discord server prohibits talking about custom firmware that includes capabilities that break the law. No encrypted signals can be copied or replayed by the tool either.
For instance, I could read the signal from my credit and debit cards, but I couldn’t use that signal to make a purchase using contactless payment methods. Given the open nature of the project, however, a malevolent user might potentially add new features to the Flipper by modifying the firmware.
Kulagin said he hadn’t heard from the police over the Flipper when I inquired. He answers, “Not yet at least.”
Although a Flipper Zero could be misused, it is undeniable that it provides any curious person with a chance to access and analyse the signals and protocols that power our everyday life. After a week of wearing the Flipper Zero, I find myself paying closer attention to the electronics I meet in everyday life. As of late, I’ve been thinking more like a hacker.
