Flipper Zero and Swiss Army Knives
The internet has been in a frenzy lately about the supposed criminal capabilities of the Flipper Zero, leading to its ban on Amazon and raising alarms in countries like Canada and Brazil. But in my view, the fears surrounding the Flipper Zero are being blown out of proportion and here's why...
The internet has been in a frenzy lately about the supposed criminal capabilities of the Flipper Zero, leading to its ban on Amazon and raising alarms in countries like Canada and Brazil. The device, denounced as a "card-skimming device" by Amazon, has faced criticism for its supposed potential to facilitate illicit activities, from card skimming to car thefts. But in my view, the fears surrounding the Flipper Zero are being blown out of proportion.
What is the Flipper zero?
The Flipper Zero is a portable multi-tool for hackers, developers, and cyber security professionals, designed to interact with various digital systems. It can emulate RFID, NFC, Bluetooth, and infrared signals, making it useful for penetration testing and security research. As it can emulate those signals, it can be used to research (and potentially attack) access control mechanisms of buildings or other RFID-equipped devices like cars.
Is the Flipper Zero a threat to cyber security?
Despite Amazon proclaiming otherwise, the Flipper Zero is incapable of card skimming. Even with modified firmware, its Near Field Communication (NFC) data reading capabilities are too limited to pose any real threat. The absence of a magnetic stripe reader further diminishes the risks. And the concerns regarding its supposed ability to steal cars are also unfounded. Rolling code implementations defeated the type of attack the Flipper Zero could execute back in the 90s. More advanced devices capable of relay attacks are the real threat to keyless entry cars, which have long been known to be insecure.
Re-thinking the Flipper Zero bans
Countries like Canada and Brazil are contemplating bans, fueled by misconceptions about the device's functionalities. However, it's crucial to recognise that the Flipper Zero doesn't introduce any new technologies. It incorporates standard features like software-defined radio, Bluetooth Low Energy capabilities, and RFID reader—tools that are available in other, more powerful devices like the HackRF and Proxmark3. I often compare the Flipper Zero to a Swiss Army knife: it offers many tools in one, although not necessarily the best in class.
The HackRF can perform all the over-the-air transmission tasks the Flipper can, and more. It has greater range, can accommodate a wide range of external antennas, handles a broader spectrum of frequencies, and is priced similarly to the Flipper Zero. Similarly, any Proxmark device can handle all RFID-related tasks the Flipper can, including reading, writing, and emulating, with much wider support for different RFID technologies, and you can get one for about £50.
Conclusion
The Flipper Zero is a great tool, but mostly because it combines as much functionality as possible into a small form factor. The discussion should not revolve around banning the device but rather on understanding and addressing the vulnerabilities it reveals. Banning the Flipper Zero won't eliminate these security flaws, just as banning Swiss Army knives won't eradicate knife-related crimes.
