Quick Links
Key Takeaways
The Flipper Zero is an all in one "hacking" device. You can read, write, and emulate NFC, and RFID, send BadUSB scripts, and more. Its credit card-reading capabilities got it into trouble with Amazon.
What if you combined the classic and cute concept of a Tamagotchi pet toy with the capabilities of Sci-Fi hacker devices? You know the type, hold it up, and it just does the hacking, ignoring all reality. Well, you'd almost get the Flipper Zero, a very real product that Amazon banned from its store.
According to Amazon, the company banned the Flipper Zero, a $169, self-described "portable multi-tool for pentesters and geeks in a toy-like body," for breaking its rules against card-skimming devices. The allegation is that, theoretically, someone could use the Flipper Zero to steal credit card information and drain your bank account. At first glance, the Flipper Zero doesn't look like a traditional card skimmer. It really does resemble a digital pet device, and in many ways, it is one. But it's worth looking at Flipper Zero's total capabilities and how unique they are (or aren't) to understand the situation fully.
What Is a Flipper Zero
At its heart, the Flipper Zero is little more than a digital pet toy and a digital multi-tool rolled into one package. What is a digital multi-tool? Think about the classic multi-tool that serves as your one-stop shop for all things building. Pull out the right accessory, and you can cut, scissor, drive a screw, and more.
Along those same lines, the Flipper Zero contains a host of antennas and digital tools that let it accomplish multiple tasks (more on that in a bit). All of that hardware is wrapped up in a cute little case with a simple screen on it. Turn it on, and you're greeted by a Dolphin pet to play with, grow, and nurture. Only instead of playing onboard games and feeding it digital food like a Tamagotchi, the Dolphin wants you to hack the world. As you use its hardware to interact with real-world signals to varying effects, the Dolphin will grow and evolve.
The company behind the device doesn't hold back on what it means by "interacting with the world." Check out its website description of the device:
Flipper Zero is a portable multi-tool for pentesters and geeks in a toy-like body. It loves hacking digital stuff, such as radio protocols, access control systems, hardware and more.
So what can you" hack with a Flipper Zero? Well, lots of stuff.
What Can Flipper Zero Do?
Check out the specs for the Flipper Zero:
- OS: FreeRTOS
- CPU: STMicroelectronics STM32WB55
- Memory: 256 KB RAM,1024 KB Flash
- Removable storage: Micro SD (up to 256 GB)
- Display: Monochrome LCD 1.4-inch, 128 × 64 pixels
- Connectivity: NFC, 125 khz RFID, Sub-1 GHz Radio, Infrared port, Bluetooth LE
- Ports: GPIO pins, USB 2.0, 1-Wire
- Dimensions: 100 x 40 x 25 mm
- Mass: 104 grams
That's all the necessary hardware to interact with quite a few digital signals in the world.
Intercept Remote Signals
Using the sub-1 GHz radio, the Flipper Zero can intercept and emulate the signals a vehicle's remote sends out to unlock and lock a car. But that's somewhat limited, as most modern cars use a "rolling encryption" scheme. Flipper Zero might record the code your remote just sent, but it won't be useful since the code was a one-time-only event. However, older cars don't have that same protection, and theoretically, a Flipper Zero could be used to unlock such a vehicle.
That same radio can intercept other wireless signals too, such as those used for traffic barriers or IOT sensors. That's everything you need to theoretically change signs at a gas station, set off announcements at a Walgreens or similar stores, and open locks. The radio that makes this possible is actually possible to buy on Amazon directly, and you could theoretically create your own hardware for less money with the same capabilities.
Read and Clone RFID Cards and Data
Thanks to its RFID radio, a Flipper Zero can read, save, emulate, and brute force RFID cards. You may not think you have one of these, but chances are, you've at least used one. If you've stayed in a hotel that lets you tap a card to unlock the door, then you've likely used an RFID card. These often aren't encrypted, so theoretically, a Flipper Zero could clone a hotel key and then unlock a room. If the person in question got close enough access to your key.
Likewise, passports use RFID as well. However, those are encrypted with a key generated to your passport's expiration date and your date of birth. So if someone stole your passport, they could potentially break past the encryption. If they have your passport, you have worse problems, though.
Theoretically, a Flipper Zero could also brute force RFID locks, but that would likely be difficult. Most RFID locks have protections in place to prevent exactly this from happening. On the other hand, that same chip also allows the Flipper Zero to read pet microchips, giving you the capability to at least find out some information about a lost pet without taking it to the vet if the chip isn't encrypted.
Again, all of these capabilities are through an easy-to-obtain radio, and you could theoretically build a device yourself that can accomplish the same functions.
Read Write and Emulate NFC
As NFC is born out of RFID, it should come as no surprise that Flipper Zero can read, write, and emulate NFC as well. Much like RFID, how much the Flipper Zero can do comes down to encryption. Most modern NFC chips use encryption, limiting what the Flipper Zero can accomplish as well.
But if the NFC chip in question, whether it be a sticker, card, or device, is an older version without encryption, then the Flipper Zero can read from it, write to it (if it accepts that), and emulate the NFC chip. NFC is also used to unlock some doors, but again most modern NFC locks use encryption that blocks the Flipper Zero.
The big exception is tap-to-pay credit cards. Tap-to-pay credit cards rely on NFC, and they aren't encrypted because of how they work. Get one close to the Flipper Zero and it can pull a wealth of information about your card. But tap-to-pay credit cards don't typically broadcast your CVV, zip code, or the cardholder name. To get all that, the "hacker" would need to steal your credit card. At this point you have worse problems than the Flipper Zero can create.
We won't get into at much, but the Flipper Zero also has all the necessary hardware to read, write, and emulate iButton keys as well. These are older lock systems sometimes found in apartments and offices. You'd tap an iButton key's two contact points to the contact points on the lock. With access to the iButton key, you could copy the data and unlock the door without the actual key. Again, you can buy all the necessary parts to pull this trick off without a Flipper Zero.
BadUSB Add-Ons
If you own a Windows computer or a macOS device, then you're all too familiar with USB. What you may not realize is the vulnerability that those devices suffer from, dubbed BadUSB. In short, someone could leave a flash drive around, hoping you pick it up, and then when you plug it into your laptop thinking, "sweet new drive," it can load macros and scripts to do terrible things to your computer. Anything a hacker could do with direct access to your computer, they could do with a BadUSB device.
Once again, and I hope you've noticed the pattern by now, you can easily create a BadUSB device, even with some effort, using parts you can find on Amazon. A well-built device wouldn't be much larger than a flash drive, so you could hide it on the back of a PC tower and have it go unnoticed. The one thing Flipper Zero does have going for it, though, is remote capabilities. If you connected it to a Windows or Mac device through a USB cable, you could then control it from your phone elsewhere.
GPIO Pins for Expansions
If you've ever seen a Raspberry Pi, you're probably familiar with GPIO pins. They look like a series of metal pins, and you can use them to connect additional circuit board devices. The Flipper Zero also has GPIO pins, and with it you can give it additional capabilities like a Wi-Fi module, cameras, development boards, and more.
Flipper Zero sells several options already, and other third parties have developed even more boards. Therein lies the potential danger. You could, theoretically, add a board that gives the Flipper Zero 2.4 GHz RF capabilities, which could then intercept some wireless keyboard and mouse signals and emulate them. Again, newer wireless devices have hardened security to prevent this exact scenario, but many older wireless keyboards and mice are still in homes.
Why Amazon Banned Flipper Zero
Flipper Zero started as a highly successful Kickstarter product that actually delivered on all of its promises (an extremely rare event), before becoming available on its store website. Eventually, though, it made its way to Amazon.
But in recent days, Amazon banned Flipper Zero, and any searches for the device now only yield accessories like cases, add-on boards, etc. Why did Amazon ban Flipper Zero? Because the company considers the device as a "credit card skimmer."
Amazon has specific policies against credit card skimmers, and apparently, the ability to read any data at all from tap-to-pay cards was enough to trigger those rules. As reported by Bleeping Computer, Amazon sent third-party sellers notices with that explanation, stating:
This product has been identified as a card skimming device. Amazon policy prohibits the sale or listing of card skimming devices. ... We took this action because this product is not permitted for sale on Amazon.com. It is your obligation to make sure the products you offer comply with all applicable laws, regulations, and Amazon's policies.
Now again, while the Flipper Zero can pull an alarming amount of information from tap-to-pay cards, it's not anything any other RFID/NFC reader like this could pull. And you'd still need the actual card on hand to make any purchases. That worry could be avoided if tap-to-pay cards worked similarly to iPhones and Android phones. Those devices pass along one-time use data wireless. Even if it's intercepted, it's useless data that won't accomplish anything.
But it's Amazon stores, and it gets to set the rules.
Is Flipper Zero a Bad Device?
If you're wondering if the Flipper Zero is a "hacker device" that shouldn't be allowed on the market, well, the answer is complicated at best. Nothing the Flipper Zero does is technically illegal. It's what you do with those capabilities that cross the threshold of legal to illegal. Unlocking a door isn't illegal. Unlocking someone else's door without permission is illegal. That's the case whether you use a digital device, lockpicks, or even keys for that lock.
The same can be said of just about all of Flipper Zero's capabilities. And in truth, nothing the Flipper Zero can do is that unique. I hope you noticed the pattern above where in every case, the hardware the Flipper Zero used is readily available and easy to buy. You can build your own custom "Flipper Zero," all you'd be missing is the cyber dolphin that gets mad at you for not hacking things often enough.
The difference here, though, is the barrier of entry. Buying the parts for, building, and programming your own device that can intercept car keyfob signals or emulate hotel key cards used to be more difficult. Even when you could buy a device that did all that, it was through a shady grey market.
The Flipper Zero lowers the barrier of entry significantly. It's affordable at less than $200, can be modified to do more, and has a community ready and willing to teach you how to get the most out of it. You can even install custom-made scripts from GitHub without any real coding knowledge. Find the one that does what you want, download, and install.
Theoretically, the Flipper Zero is a tool, and the user is nefarious. In practice, the ability to commit nefarious acts is assisted by Flipper Zero's ease of use. You can argue that responsibility lies with the tool user or that some tools shouldn't be so readily available. In either case, the Flipper Zero has done a good job of illuminating common vulnerabilities in our everyday life. If those vulnerabilities aren't patched, then the debate won't matter much either way.