What Is the New Flipper Zero Hacking Device?
The Flipper Zero is a latest hacker tool to hit the market. It’s still early in it’s development bit it already sports a variety of functions that can allow for unauthorized access and malicious code execution.
I have one, I love it already, and I spent the weekend playing around and hanging out on the Discord channel. Let’s talk about it and why you should or should not be worried about what someone with a Flipper Zero could do to your business.
What Is It?
The Flipper Zero is a lot of things, which is why hackers are so excited about it! The device is 4 1/2” x 2 1/2” but packs a number of wireless radios and USB functions allowing the hacker to do more and carry less devices. It is also hackable itself, with open source (still evolving) software and open ports that can be hooked in to easily without taking the device apart which allows for extending the current functionality in new and innovative ways. In short, it’s a learning tool, a playground, and a digital multi-tool.
What Can It Do?
It’s still early days and only a very small number of hackers have this device at the moment, but as of right now the primary features of the Flipper Zero are:
- A Radio Transceiver (sub 1 GHz)
What does that mean? It means that for a long list of devices that run on certain radio frequencies (garage door openers, IoT sensors, car key fobs, parking gates, etc) the Flipper Zero can scan, record, and play back these signals. Some of these devices are more secure than others, but, for example, someone with a Flipper Zero could record the signal of you opening your garage and play it back later to open it.
- Infrared Transmitter
This is how your TV remote works and the Flipper Zero can send the same type of signals. it also includes an ever-growing library of remote codes.
- RFID Reader
RFID is an increasingly common technology that allows for small amounts of data to be transmitted from a non-powered device, like an access card or a product tag, to a reader, such as a door lock or a register. The Flipper Zero can read RFID values, save, and replay them.
- NFC Reader
Same as RFID, but with NFC cards. A Flipper Zero could clone an NFC card, and replay it as needed.
- USB HID Device Emulation
This allows the Flipper Zero to perform “bad USB” attacks. By plugging the Flipper Zero in to a computer you can select a pre-written script for the computer to run at rapid speed because the Flipper Zero is acting as a keyboard with the world’s fastest typist hammering away on it doing whatever is on the script. Maybe that’s a prank, or maybe it’s saving every Excel file to a server in the cloud.
It’s important to point out that nothing on this list is new. You can do all of this today with tools or adapters like Hak5’s Rubber Ducky, or a $40 software defined radio from Amazon, but the fact that they are all packed together in a very portable device is very exciting.
Should You Be Concerned?
No…but also yes. I’ll explain.
If you’re now envisioning someone in a black hoodie walking up to your building, clicking a few buttons on a small device before walking past your parking gate, breezing past your securely locked doors, and running hundreds of lines of malicious code on your corporate devices in a matter of seconds, take a deep breath. The Flipper Zero existing doesn’t mean that’s going to happen. In fact (here’s the scary bit) everything I described has been doable for a long time with the the right knowledge and set of tools. If that scares the crap out of you, talk to your team or a technical consultant (Let me know if you need some help.) about your current physical security, where the weak spots are, and what can be done about them right away.
Yes, The Flipper Zero can do the things I described, but the device is focused on learning about radio frequencies and security. If you see an employee playing with one later this year, don’t freak out. Engage with them! I promise you they will have ideas on how to improve your security.
Let me know if you have more questions about the Flipper Zero, other tools out there, or corporate security in general! You can find me on Twitter @thatmikeflynn or mike at c33tech.com.
Related Posts
My Bat Phone Holiday Project
With three kids I don’t need a holiday break project to give me something to do like I used to, but I do still like to find something on my list and give it a time limit so I can use the time to accomplish something fun and improve some non-day job skills.
Read moreDEFCON 28 Wrap Up
DEFCON, the world’s largest hacking convention and always one of the highlights of my year, was last weekend and, of course, remote. I missed being in Vegas with tens of thousands of hackers, but there were still some fantastic talks and conversations over Discord. A quick “Top Five” highlights: If your password is eight characters or less, you essentially don’t have a password.
Read moreAn Ode to My Work Laptop
I started at Collective Digital Studio (now Studio71) in 2012 as the month of December awoke from it’s yearly slumber. I was handed a computer. A Macbook Pro Retina. That Retina part was new, as was how thin and light it was. Instantly I realized it was the best computer I had ever used.
Read more