Don’t be fooled by its catchy name or Tamagotchi-like interface—this all-in-one device is trouble waiting to happen and much more.
RFID-controlled locks protect countless buildings across the United States, from government offices to your next hotel room door. On my way to work recently, I passed nearly 20 of these keyless entry systems, which are among the most common in the world. A playful palm-sized device with a Tamagotchi-like interface, on the other hand, can likely defeat the locks on many of these doors.
The Flipper Zero is a $200 portable pen-testing tool designed for hackers of all levels of technical expertise. The device is the size of a phone, easily concealable, and packed with radios and sensors that allow you to intercept and replay signals from keyless entry systems, Internet of Things sensors, garage doors, NFC cards, and virtually any other device that communicates wirelessly in short ranges. For example, I used the Flipper Zero to seamlessly clone the signal of an office RFID badge tucked safely inside my wallet in just seconds.
If you only knew about Flipper Zero from TikTok, where it has gone viral, you might think it was a toy capable of making ATMs spit out money, cars unlock themselves, and gas spill out of pumps for free. I spent the last week testing one to see if the world was as vulnerable to Flipper Zero as social media suggested. What I discovered was mixed: many of the most dramatic TikTok videos are most likely staged—most modern wireless devices are not vulnerable to simple replay attacks—but the Flipper Zero is still undeniably powerful, providing aspiring hackers and seasoned pen-testers with a convenient new tool to probe the security of the world’s most ubiquitous wireless devices.
Flipper Zero has been compared to a Swiss Army knife for physical penetration testing in reviews. During my week of testing, however, it felt more like a blacklight—something I could hold up to a device that would reveal information about how it worked, what data it was emitting, and how frequently it did so that was invisible to the human eye.
Here’s a quick rundown of what I’ve learned this week thanks to Flipper Zero: Some animal microchips will tell you your pet’s body temperature. Anyone within range of my neighbor’s car tire pressure sensor receives data. Every few seconds, my iPhone sends infrared signals to my face. Signal jamming detection is built into my home security system. The office bathroom at WIRED has a soap dispenser that broadcasts when it needs to be refilled.
When I told one of Flipper Zero’s co-creators, Alex Kulagin, about my experiences using his tool to make these kinds of mundane observations, he explained that this is exactly what the device is intended for. “We want to help you understand something deeply, investigate how it works, and investigate the wireless world that is all around you but difficult to comprehend,” he says.
Kulagin and his business partner, Pavel Zhovner, first conceived of the Flipper Zero concept in 2019. Since then, the company has sold 150,000 devices and grown to nearly 50 employees. They have, however, encountered some opposition as they have grown. PayPal held up more than $1.3 million in payments this summer, and US Customs and Border Patrol seized a shipment of devices in September. According to Kulagin, CBP released the shipment after a month but has yet to explain why it was held. The CBP refused WIRED’s request for comment on the seized Flipper Zeros.
Bob Zahreddine is a lieutenant with the Glendale Police Department and the executive officer of the High Tech Crime Cops, a law enforcement industry group that, according to its website, “connects cyber cops and investigators.” Zahreddine claims that he is not surprised that CBP is interested in Flipper Zero. “Because Flipper Zero is so customizable, it has the potential to be used in all kinds of crime,” he says.
Zahreddine’s organization maintains a listserv where investigators frequently seek advice from their peers and share news or information about developments in cutting-edge law enforcement technology. While he hasn’t heard any talk about Flipper Zero being used in any crimes on his listserv, he says investigators there are aware of the tool and have been following its development since Kulagin and Zhovner started fundraising on Kickstarter.
Indeed, it’s easy to see how someone could use this device to break the law or simply cause mischief. Not only was I able to clone my office’s ID badge with Flipper Zero, but I was also able to record the signal that my neighbor’s garage door opener makes when he pulls into his driveway. Older cars that don’t use rolling code encryption are likely unlockable, and my Flipper Zero was able to read my credit card number through my wallet and pants.
However, Kulagin is unconcerned about his tool’s potential for criminal mischief. “Of course, there are some old cars that are vulnerable to Flipper. “But they’re not secure by definition, and that’s not Flipper’s fault,” he claims. “Bad people exist, and they can do bad things with any computer. We have no intention of breaking any laws.”
To that end, Flipper Zero’s firmware by default prevents users from transmitting on frequencies that are prohibited in the country in which the device is located, and Flipper Zero’s Discord server explicitly prohibits discussions about alternative firmware with illegal features. The tool cannot also copy or replay encrypted signals. For example, while I could read the signal from my credit and debit cards, I couldn’t use that signal to pay for anything using contactless payment systems. Because the project is open source, a knowledgeable Flipper user could modify the firmware to enable additional, potentially malicious, functionality.
When I asked Kulagin if he had been contacted by law enforcement about the Flipper, he said no. “No, not yet,” he replies.
While a device like a Flipper Zero can get you in trouble, the tool undeniably provides any curious person looking to learn about the devices around them with a way to access and dissect the signals and protocols that power our lives. Following my week with the Flipper Zero, I am more engaged with the technology I encounter while walking around. I’m thinking more like a penetration tester.