It's hard to think of a more innocent device; a small white keyring, about the size MP3 players used to be two decades ago, and featuring a jolly dolphin on an LCD screen that could easily be mistaken for a Tamagotchi.
But we're talking about Flipper Zero, the latest hacker "toy" and the star of hundreds of viral videos on TikTok and Instagram in which almost magical powers are attributed to him. The Flipper Zero can open the doors of any car, clone credit cards, give access to offices and even change the price of a gas pump...
What is true? We have been able to get hold of a unit and test it for a few weeks. It has not been easy. Since its launch, the Flipper Zero, which was born as a Kickstarter project, is almost always sold out and several stores, such as Amazon, have decided to prohibit its sale due to the possibility that it is used to clone credit cards, although -spoiler- it is not known. can use for that.
Flipper Zero is a pentester, which is how devices or applications designed to test the vulnerability of systems (penetration tester) are known. It's equipped with antennas that support a handful of wireless protocols, such as Bluetooth, NFC, RFID, infrared, or Sub-1GHz. Also WiFi, if the corresponding module is added.
It comes equipped with several tools to detect, copy and emit any radio signal and it is also capable of cloning and emulating iButtons, those little keys in the shape of a button battery that are used by some electric scooters or the locks of some portals.
In theory, these capabilities are what make the Flipper Zero a dangerous device. A common case that is repeated in the videos that circulate on social networks is that of someone who clones the radio signal of a car key and opens the victim's vehicle.
For you would-be car thieves, we bring bad news. Most of these videos are montages. Almost all modern cars use rotating code tables stored in the keys, each time the button is pressed a different encrypted code is sent, which is what the car expects. It is useless to copy the radio signal because it is useless once the code has been used. What's more, you run the risk of desynchronizing the vehicle and the legitimate key.
Another surprising application on the social network is the cloning of a credit card. The same. The device can read the information of a card by approaching it, but it cannot use it to pay because NFC payment systems have various protection mechanisms to prevent this type of attack.
Getting the information from the card can be a problem, but the device has to be in contact with the card and at that point, for someone with the intention of stealing the data it is just as easy to take a photo or write down the information that is usually show on the card itself, including the CVV.
That's not to say that the Flipper Zero is harmless. Like any tool, it depends on the hands in which it is. We have spoken with Andrés Soriano, head of security at Universae and an expert on the state of cybersecurity in Spain to understand a little better what the danger posed by this tool is.
"Personally, I think that the main security problem is the access control systems that are currently used in a large number of companies and homes, for example, a garage key that does not have any security measures in place and that can be replicated simply by capturing it once," he explains.
It is also a very open device with a large community of enthusiastic users who are creating all kinds of applications that go beyond what the device allows out of the box. Flipper Zero even has a GPIO port, which allows you to add various plug-in modules with more advanced features.
Something that it can do from the factory, and that more than something "evil" can be considered a prank, is to control devices using infrared. You can turn up the volume or turn off the television in a bar or turn on any air conditioning, at the expense that would be incurred by the victim. It can also be used as a USB Rubber Ducky, which masquerades as a keyboard and can cause damage to the computers it connects to.
It's important to note that none of this is really new. Tools to make this kind of work have been around for a long time, the problem and at the same time the advantage of Flipper Zero is that it simplifies the use. "Until now, there was no portable device as complete and easy to use as the Flipper that would make it easier to carry out security tests on this type of signals, having to resort to specific hardware components, and generally at a high price," Soriano points out.
Flipper Zero costs 169 euros. It's a good tool for someone who is curious about how the radio frequency systems we use every day work and thanks to the active community of users, there are all kinds of curious applications, from "chasers" of radio signals from weather stations to readers of pet identification chips.
But if the person who buys it expects to find a device that, right out of the box, allows them to open a car or clone a credit card as they have seen in a TikTok video, they will be greatly and more than deservedly disappointed. Fortunately.
According to the criteria of The Trust Project