Flipper Zero is the most trending hacking tool on TikTok
Numerous structures in the US, including federal buildings and the door to your next hotel room, are secured with RFID-controlled locks.
I recently encountered close to 20 of these keyless entry devices on my way to my office; they are among the most common in the entire world.
However, the locks on many of these doors could probably be bypassed by a fun, palm-sized device with a Tamagotchi-like interface.
The Flipper Zero is a portable pen-testing tool that costs $200 and is intended for hackers of all technical skill levels.
The device is concealable, smaller than a phone, and packed with a variety of radios and sensors that let you intercept and replay signals from keyless entry systems, Internet of Things sensors, garage doors, NFC cards, and practically any other device that communicates wirelessly in close proximity.
For instance, I quickly and painlessly duplicated the signal of an office RFID badge that was neatly tucked inside my wallet using the Flipper Zero.
Flipper Zero has become so popular on TikTok that if you hadn’t heard of it there, you may have assumed it was a device that could make things like ATMs spit out cash, automobiles unlock themselves, and gas pumps spill for no cost.
I tested one during the past week to see if everyone was as at risk from Flipper Zero as social media suggested.
What I discovered was conflicting: the majority of the most dramatic videos on TikTok are probably staged (most modern wireless devices are not vulnerable to simple replay attacks), but the Flipper Zero is still unquestionably potent, providing seasoned pen-testers and aspiring hackers with a handy new tool to test the security of the most common wireless devices in use today.
Flipper Zero is compared to a Swiss Army knife in evaluations as a tool for physical penetration testing.
However, throughout my week-long testing of Flipper Zero, it seemed more like a blacklight—something I could actually hold up to a gadget to expose information about how it operated, what data it was transmitting, and how frequently it was doing so—information that was unseen to the human eye.
Here is a quick summary of some things I discovered this week thanks to Flipper Zero:
You can learn your pet’s body temperature via some animal microchips.
Anyone within signal range can get the data from my neighbor’s car’s tyre pressure sensor.
Every several seconds, my iPhone fires infrared impulses into my face.
I have signal-jamming detection incorporated into my home security system.
A soap dispenser in the WIRED office restroom advertises when it needs to be refilled.
One of the co-creators of Flipper Zero, Alex Kulagin, confirmed that this is exactly what the device is intended for when I told him about my experiences using it to record these types of banal observations.
The wireless world is all around you but is tough to understand, so we want to help you understand it thoroughly and learn how it works.
Flipper Zero was initially conceptualised in 2019 by Kulagin and Pavel Zhovner, a business partner.
Since then, their business has sold 150,000 devices and approximately 50 more employees have joined their team.
However, they have run into some opposition as they grew.
PayPal blocked more than $1.3 million in payments this summer, while US Customs and Border Patrol confiscated a shipment of electronics in September.
Kulagin claims that CBP eventually released the shipment after holding it for a month, but has not yet provided the company with an explanation.
The High Tech Crime Cops is a business organisation made up of law enforcement officers that, according to its website, “connects cyber cops and investigators,” and Bob Zahreddine is a lieutenant with the Glendale Police Department and an executive officer there.
Zahreddine claims that the CBP’s interest in Flipper Zero doesn’t necessarily surprise him.
Flipper Zero has the potential to be used in many kinds of crime since it is so adaptable, he claims.
Indeed, it’s simple to see how someone could use this tool to breach the law or even just cause some minor mayhem.
For instance, I was able to capture the signal that my neighbor’s garage door opener emits when he pulls into his driveway using Flipper Zero in addition to being able to copy the ID badge of my office.
My Flipper Zero was able to read the number on my credit card through my wallet and jeans, and it is probable possible to open older autos that don’t use rolling code encryption using the gadget.
However, Kulagin isn’t overly concerned about the potential for criminal mischief that his tool could do.
Obviously, certain older vehicles are more susceptible to Flipper.
But by definition, they aren’t secure—not that’s Flipper’s fault, he claims.
There are wicked individuals out there, and they can use any computer to do bad things.
We have no desire to disobey any laws.
To that purpose, Flipper Zero’s firmware by default restricts users from transmitting on frequencies that are restricted in the nation the device is in, and the Discord server for Flipper Zero expressly forbids conversations regarding alternate firmware that contains restricted capabilities.
(However, given that the project is open source, a knowledgeable Flipper user may modify the firmware to enable extra, potentially harmful, features.)
Additionally, no encrypted signals may be copied or replayed by the instrument.
For example, even though I could read the signal from my credit and debit cards, I was unable to use that signal to make a purchase using a contactless payment system. This was a hardware limitation with the device and was not something that could be overcome through software modifications.
A Flipper Zero allows anyone who is interested in learning about the gadgets around them a way to access and analyse the signals and protocols that run our lives, even though using one can get you into trouble.
Personally, after using the Flipper Zero for a week, I am more interested in the technology I come across when out and about.
I’ve started to think more like a pen-tester.