Illustration by Lille Allen / The Verge
Every once in a while, something comes along that every nerd out there covets. I have lost more than my fair share of time and money on my MiSTer, I have pined for a Steam Deck, and I am currently following restock bots for any Raspberry Pi I can get my hands on for less than 100 bucks during the Grand Pi Shortage of 2022.
But few devices have captured the imagination of your friend who works in IT quite like the Flipper Zero: a hacking multi-tool shaped like a playful child’s toy and adorned with a friendly dolphin. Packed with a range of sensors, chips, and antennas, the Flipper lets you make playful mischief with all sorts of devices, from security gates to card readers.
There are drawbacks to the mischief business. The company that makes the gadget has had to deal with payments of more than $1.3 million being held up by PayPal and shipments of devices being held up by US Customs — all of which gives the device a certain cachet among the hacker set.
What is it?
To the untrained eye, the Flipper Zero looks like a toy. It’s a small, orange and white plastic device with a playful, Tamagotchi-like dolphin on its monochrome orange 1.4-inch display. Cute! But in reality, the Flipper Zero is a multi-tool that covers many of your hacking needs. Imagine a Leatherman or a Swiss Army knife but for talking to electronics, and you have a general sense of what the Flipper Zero can do. To nobody’s surprise, it’s open source and was successfully funded on Kickstarter to the tune of roughly $4.6 million.
What really sets it apart from other tools, aside from the stylish Y2K design, is its flexibility. While some tools, like the Chameleon Mini, have a limited number of tools at their disposal, the Flipper has several. It can talk to sub-1GHz devices like old garage doors, both Low- and High-Frequency RFID, NFC cards, Infrared devices, and even Bluetooth. You may have seen viral videos of people using the flipper to mildly annoy Tesla owners by remotely opening up their charging ports — but the real power of the flipper is its versatility. Just about every wireless device is vulnerable to it in some way or another.
What can it do?
It’s best to answer this question one antenna at a time. The sub-1GHz transceiver allows it to interact with old-fashioned devices like garage doors, restaurant pagers, gates, gas station price signs and doorbells. The 125kHz antenna lets you read, clone, and emulate older prox cards. In conjunction with the NFC module, it can read, write, and emulate both low and high-frequency NFC devices like tap cards. And the infrared transceiver lets it learn any IR device on the fly. Lose the remote to your air conditioner or sound bar in a move? The Flipper can not only learn how to do that, but it’s also probable that someone else has figured out the code already. Want to turn off your robot dog for comedic effect? Go nuts.
On top of all that, the Flipper allows you to run BadUSB attacks by connecting the device to a computer via USB and running a whole array of Ducky Scripts, some more annoying than others. If you already know about the USB Rubber Ducky, then some of this may be familiar to you. For something a little less malicious, you can use it to store U2F keys to do two-factor authentication. And you’re not limited to using the tiny screen. You can also connect your phone to the flipper via Bluetooth and control it with this very handy app. There is also a microSD card slot for storing data.
Importantly, the Flipper does not have WiFi out of the gate. However, the device has quick access to the GPIO pins, allowing you to add a WiFi Devboard or ESP8266 to it for various fun projects like pen-testing, deauth, probes, and more.
Aside from the basic capability of the device, The Flipper has a robust and vibrant community out there supporting it. There are tons of resources online, and folks are finding fun new ways to use the device all the time. Obviously, it can run a weird version of DOOM. And Tetris! And Flappy Bird! You can use it to emulate Skylanders and Amiibos! If you somehow stumble upon a working pay phone, you can do good old-fashioned phone phreaking! And because the project is open source, there is nothing stopping you from installing your own firmware (and many people do).
How much of a threat is it?
This is where we get into territory that gets shipments held up by Customs.
The Flipper Zero is a very powerful tool, and in the wrong hands, it could be used very maliciously, but you could say the same thing about a Raspberry Pi that you have turned into a Pwnagotchi, various ESP 8266 boards, or even just your phone.
As always, it’s important to note that a tool is frequently only as useful or dangerous as the person using it. The tools to create chaos are out there, but that requires planning and the decision to do that. An individual has to choose if they want to copy keycards, mess with gas station price signs, or force someone’s computer to subscribe to your YouTube channel. And with most hacking tools, the greatest utility is typically testing your own security, not attacking others.
At the same time, some people just want to mess around with wireless signals. I know more than one person who happily bought a Flipper Zero but mainly uses it to do stuff like turn on their air conditioner. On its own, the Flipper Zero is not going to turn a legion of IT guys into Watch Dogs protagonists, and a not insignificant portion of people will just use it to clone the key to their condo and inconvenience other, slightly more clueless Tesla owners.
Could I use it myself?
Absolutely. The app is very straightforward, the interface is simple to use, and people are adding robust scripts to it every day that you can find if you know how to search GitHub. There is also a healthy forum (shocking in this day and age!) and a robust and friendly Discord server that you can join if you need any help with a project.
That is, of course, if you can get one. Or a Raspberry Pi. Anyway, good luck with that in the near future.