Disclaimer: Like many devices dedicated to hacking, the Flipper Zero itself is perfectly legal and complies with all regulations. It serves as an amazing tool for learning and experimenting with all kinds of devices. Yet, it has the ability to be used for illegal purposes. IT Audit Labs does not condone any illegal activities enabled by the Flipper Zero and recommends that anyone who uses the Flipper Zero ensures that they’re complying with local laws and regulations.
March, 2024 Updates: See below for recent updates on The Flipper Zero, including a new gaming peripheral, a potential ban in Canada, as well as a new competitor in the M1.
My name is Cameron Birkland, and outside of my day job as a security engineer, I’ve been spending quite a bit of time experimenting with the Flipper Zero.
Due to its small form factor and numerous abilities to “hack” objects within reasonable proximity, the Flipper Zero has received some extensive news coverage, and not always in a positive light. Suddenly, it’s not so hard for someone with little knowledge of radio frequencies to capture and replay a garage door remote, or perform a DoS attack on an entire room of smartphones. Over the course of this article, I cover what I’ve learned about the device, review its capabilities, how its functionality can be expanded through firmware or additional hardware, and share a few tips for how you can get started.
What is a Flipper Zero?
Referred to as a “portable multi-tool device for geeks”, The Flipper Zero is essentially a portable, all-in-one solution for breaking into the world of Sub-1 GHz frequencies, RFID, NFC, infrared, or even the lesser-known iButton. The Flipper Zero takes all these features and packs them into a device smaller than your smartphone, all with an approachable, easy-to-use interface.
With readily available apps and plugins, just about anyone can pick one up and start capturing signals that were otherwise limited to those with specialized tools and extensive knowledge, all in a discrete, pocket-sized package.
What can you do with a Flipper Zero?
The Flipper Zero is most notable for its ability to receive and transmit sub-1GHz frequencies. This gives it the ability to interact with many household objects, including:
Garage door openers
Wireless doorbells
Smart plugs
Smart switches
Remote-operated gates
With minimal effort, your Flipper Zero can read the signal sent by a remote, save it, and replay it as many times as you want. I’ve personally used this functionality to operate my garage door opener as well as a remote-controlled outlet.
NFC and RFID
As mentioned above, the Flipper Zero can read and emulate common RFID and NFC cards/tags as well as write to NFC tags. This allows the Flipper Zero to interact with a range of cards, keys, chips, or anything RFID or NFC enabled, for example, a pet microchip – there are even documented cases of people reuniting lost pets using the device!
Door Keycards
Another popular use case is reading and emulating door access cards/key fobs.
Modern access systems that utilize complex protocols are less susceptible to this risk, but if you have access and permission, information is available online as to whether a particular system is susceptible to having its cards copied by the Flipper Zero.
Bluetooth Low Energy Devices (BLE)
Bluetooth Low Energy is a lower energy, lower bandwidth alternative to Bluetooth, and you guessed it, devices utilizing this protocol are also vulnerable to the Flipper Zero.
One of the more popular use cases for this protocol enables Bluetooth devices to notify a user whether it’s ready to be paired. In the case of the iPhone, this has been particularly prevalent, as firmware options like Xtreme have an “Apple BLE Spam” app pre-installed, enabling someone with a Flipper Zero to perform a DoS attack on any active iOS device within a certain proximity (keeping in mind that it is a Low Energy form of Bluetooth, so the range isn’t going to be quite as powerful as regular Bluetooth). There aren’t necessarily any implications to this use case beyond it being an annoyance, but it’s another reason the Flipper has seen so much attention -- If you experience an endless string of pairing requests, Apple TV notifications, and other seemingly random pop-ups, look around and you might just see a Flipper Zero.
Flipper Zero firmware, peripherals, and other ways to expand its functionality
Despite the Flipper Zero’s wide range of capabilities offered by its internal hardware, they are dramatically enhanced through the installation of firmware or the addition of compatible hardware.
Flipper Zero Firmware
A few of the most popular firmware options are Unleashed, Xtreme, and RogueMaster. Each of these adds several features to its out-of-the-box firmware, with each containing a slightly different feature set. I recommend checking each firmware’s GitHub page for all the details, but some key features include the ability to change the UI in both Xtreme and RogueMaster, additional NFC, RFID, and Sub-GHz protocols, support for saving and sending rolling code protocols (which is restricted in the original Flipper Zero firmware), the ability to execute a “bad keyboard” attack over Bluetooth, and too many plugins and games to list here.
Peripheral Devices
The Flipper Zero has a row of GPIO (General-Purpose Input/Output) pins that allow you to interface your Flipper Zero with external hardware.
The WiFi devboard is an example of a “hat” that works as a plug-and-play attachment for the Flipper Zero. You can find unofficial accessories on sites such as Tindie, where you can purchase them pre-made, which is what I did with my NRF24 board below:
An NRF24 chip allows you to communicate with devices that use the 2.4GHz frequency, but aren’t necessarily Bluetooth or WiFi (for example, a wireless mouse/keyboard). Adding the NRF24 board to my Flipper Zero allowed me to sniff and intercept data sent between a Logitech Unifying receiver and keyboard, enabling a wireless, bad keyboard attack.
2024 Update: Video Game Peripheral Now Available
The Flipper Zero Team have released a new peripheral they call The Video Game Module. The module attaches to the Flipper Zero using the GPIO pins on the top and adds a few useful features, including an HDMI port, a gyroscope and accelerometer, as well as 14 GPIO pins to interface with the module. What makes this module so interesting is that it utilizes the Raspberry Pi RP2040 Microcontroller, effectively making it a standalone device. It even has its own USB-C port, so you can interface directly with the Raspberry Pi microcontroller. Despite being called a video game module, the potential use cases for the module extend well beyond video games.
If you’re a cybersecurity professional, here’s what you need to know
While The Flipper Zero may seem to be similar to many of the other “hacking” devices available, like those that can be found on Hak5, its ability to interact with frequencies and items we find throughout our modern world takes it beyond the scope of a computer.
In the wrong hands, there can be physical security implications concerning people’s homes and businesses. It’s clear that some of the older, commonly used protocols, such as Security+ 2.0 can no longer be considered secure, and the means to capture and replay these protocols are easier than ever.
Like many available “hacking” devices, the Flipper Zero is a capable device that is not to be underestimated. This doesn’t mean that all physical security is compromised and anyone with a Flipper Zero is dangerous, but it should certainly be considered when it comes to the security of your home, business, and personal devices.
2024 Update: The Flipper Zero could be banned in Canada...
In an effort to curb vehicle theft, the Ministry of Innovation, Science, and Industry in Canada has announced its intent of “Pursuing all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero, which would allow for the removal of those devices from the Canadian marketplace through collaboration with law enforcement agencies.”
The Flipper Zero is their primary target, but their intent is broad enough to include devices such as the HackRF One, which is a Software Defined Radio (SDR) that has similar functionality to the Flipper Zero.
The primary concern is that legislation to ban devices like the Flipper Zero would stifle innovation and curiosity, particularly in the cybersecurity space. Devices like the Flipper Zero lower the barrier for someone to take up an interest in cybersecurity, particularly when it comes to sub-GHz frequencies. Banning the sale of these devices would only prevent them from getting in the hands of common citizens, while a “criminal”, or someone that really wants it, would not be deterred by a law banning its purchase. Finally, this law does not address the root cause – manufacturing devices that are vulnerable to simple attacks in the first place. Legislation efforts would be better placed towards addressing the reason vehicles are vulnerable, rather than the device that exploits those vulnerabilities.
How to get started with the Flipper Zero
If you’re just starting out, the best place to buy the Flipper Zero is from the Official Flipper Zero Store - it’s easy to come across supposed “deals” from third-party sellers, but there’s too many scams out there to make deal hunting worthwhile.
I recommend picking up the screen protector as the plastic screen scratches easily, and the silicone case is useful if the device is dropped. If you’re interested in Wi-Fi penetration testing or want to update the Flipper Zero’s firmware wirelessly, the WiFi devboard is a good accessory to pick up as well.
Once you’ve ordered the Flipper Zero, I recommend getting acquainted with some of the projects you can find on the Flipper Forum and the Flipper Zero subreddit. Then, start experimenting! It is rewarding when you finally capture that first signal or open your first garage door. Keep in mind that the Flipper Zero has many different functions, so if one experiment doesn’t work out, don’t be discouraged – there's plenty to do! Obviously, just be responsible out there.
2024 Update: What is the M1 and how does it compare to the Flipper Zero?
As of February 2024, a new device with some striking similarities to the Flipper Zero was announced on Kickstarter by the company Monstatek. The campaign has been very successful, raising well over $1,000,000. Known as the M1, the hardware and features are nearly parity with the Flipper Zero, with the exception of the M1 having built-in Wi-Fi. These devices are extremely similar in size and shape, and the button layout on the new M1 is identical. A notable difference between the two devices is that the Flipper Zero takes on a more “fun” personality with its dolphin character, while the M1 has a cleaner, more mature look. The M1 has a retail price of $165 and the Flipper Zero sells for $169.
Given the novelty of the Flipper Zero, it’s surprising to see such a similar device attempting to occupy the same niche. Because the devices are so extremely similar, there are few advantages to owning both of them – they have the same capabilities in a similarly-sized case.
Want to know more?
This blog post was initially inspired by our bi-monthly podcast – The Audit – check out the full podcast episode below, or you can listen in on Apple Podcasts or Spotify.
For even more information on the Flipper Zero, I’ve listed a few relevant links below, and if you have any other questions, feel free to send them over via our Contact page.
Thank you for reading!
- Cameron Birkland