We share both the first disappointments and successful cases of using the device. Pass cloning, radio button emulation, and vulnerability demonstration features are discussed. The advantages of Flipper Zero, including its compatibility with different types of cards and the possibility of customization, are given, as well as disadvantages, such as limitations in copying protected passes and the need for special knowledge to work with individual functions.
“Flipper Zero” by Flipper Devices Inc. does not need additional advertising, but the hype around this hacking multitool has already died down. Now users are divided into two camps: some consider it a useful tool, others doubt the feasibility of the purchase.
One of the pentesters and social engineers shared his experience using this device. He talked about Flipper’s usefulness for penetration testing, the tasks it can perform at customer sites, and whether it justifies its price. The advantages and disadvantages of the device in “field” conditions are considered.
Flipper Devices designed its multitool in Hackspace, raised $4.8 million on Kickstarter, and actually manufactured its device. But the most amazing thing about this story is that the team managed to gather a cool community around it. Developers sawed custom firmware with a bunch of improvements and later implemented support for new types of passes. If we compare Flipper at the time we bought it and today, we can safely say: these are devices of different levels.
By suddenly turning on the TV at the reception desk, you can briefly distract the staff and pass unnoticed, but the IR port is rarely used. Although Pavlo Zhovner demonstrates that GPIOs can even be used to open some safes, these capabilities are rarely used. Enthusiasts are constantly finding new uses for the Flipper Zero, and it is impossible to describe all possible scenarios. In general, the device helps solve three main types of tasks.
The list of maps that can be recorded and emulated on the device has increased significantly.
Cloning passes remains a challenge even with Flipper Zero. Labels can be read only at a short distance, so you have to approach the “victims”. A typical situation: you enter the elevator with the pass holder, holding Flipper in your sleeve in monitoring mode. At the right moment, you accidentally touch the device to the employee’s card. It’s risky, but it’s one of the easiest ways to break into an office or server room if you can copy the root administrator’s pass.
This is the second most frequent way of using Flipper in the team: with its help, dozens of protected rooms have already been opened. First, the device must be switched to monitoring mode and wait for the activation of the radio button. Flipper captures the signal, determines the frequency and modulation, which must be adjusted manually. After that, it is necessary to wait for repeated use of the button to record an exact copy of the signal. Hoping that the button is used often is important, otherwise you can spend a whole day with no results.
Such an opportunity is provided rarely, but aptly. If the circumstances are favorable, it is possible to perform effectively in front of the customer.
One day, the team arrived at a potential client’s office for a meeting with top executives, grabbing Flipper just in case. During the meeting, having received a guest pass, cloned him for an experiment. After the meeting, the head of security asked if it was possible to find gaps in their security system with the naked eye. After handing over the plastic card to the security guard, he went back on the copied pass in front of the surprised top manager. Then I had to explain the importance of deactivating the card immediately after the guest leaves.
Although there are no crazy stories like hacking vibrators, the success of pentests depends more on the basic functions of working with labels and radio buttons. In these tasks, Flipper shows advantages compared to other cloners and more functional hacking gadgets.
So far, Flipper Zero coped with almost all RFID and NFC keys that we encountered at customer facilities. This does not mean that he knows any cards, but for physical pentests his capabilities are sufficient in 99% of cases.
I have personally tested three firmwares. The basic one was quickly changed to a custom one – Unleashed – with regional restrictions removed, a new frequency analyzer, LFRFID and iButton Fuzzer plugins, additional Mifare Classic keys, constant updates and new features.
For example, additional Bluetooth scenarios are implemented. Previously, it was only possible to connect a multitool to a smartphone. Currently, Flipper Zero is able to work with Bluetooth at the hardware level. You can flood iOS devices with Bluetooth packets, as if an Apple TV went crazy or hundreds of AirPods appeared nearby.
Unleashed served the needs of cloning and recording passes perfectly, but was later replaced by Extreme. This firmware allows you to set a password on the device, which is important for the security of customers whose passes are temporarily used.
They are usually easy to install: just download the executable file to the appropriate folder on the SD card. For example, a script for working with the radio range in Sub-GHz will automatically appear in the menu as a new application.
The hardware platform of Flipper Zero allows you to easily connect it to all kinds of boards and home-made devices through GPIO pins.
It’s hard to remember my Flipper getting below 90% charge. And this is after three or four pentests, when the device is constantly connected to a smartphone via Bluetooth and works for a long time in monitoring mode.
In order not to attract attention, Flipper can be hidden in a pocket or backpack, and controlled through an application on a smartphone. For example, it is so convenient to scan the radio range.
There are few serious bugs in the work. If this happens, the community saves. The main thing is to describe the error in detail so that it can be reproduced. As a rule, found bugs are fixed by firmware developers within a few weeks.
Of course, Flipper has limitations and drawbacks, also while physical pentests.
Flipper is not yet able to clone the most secure passes with a dynamic key and some Mifare chips. New approaches are being developed to overcome these limitations. It’s a similar situation with Wi-Fi: expansion boards only attack 2.4 GHz, while many companies already use 5 GHz and the Dart n, A/C or A/X standards. Meanwhile, Jovner is developing and releasing new devices for Flipper, such as an air mouse or a retro console.
A “long” copy only takes a few seconds, but in reality you need to quickly copy the label. Even a few minutes can be decisive. With experience, you understand what to expect from different types of passes. RFIDs are copied instantly – touch and you can retreat. With some NFCs, it takes a bit longer to hold the device to the card for even a couple of seconds, which is inconvenient for both the copier and the pass holder.
Flipper Zero is not a flash drive: it is not always possible to hide it properly, and the characteristic appearance and numerous ticks ensured a fairly high level of recognition. It is increasingly difficult to pass off a multitool as a Tamagotchi toy.
Flipper automatically adapts to the type of contactless card, but using it to send radio signals at a distance is more difficult. It is important to understand which bands modern gadgets work on in order to avoid unnecessary commands. Otherwise, it is possible to accidentally activate, for example, a fire alarm instead of a radio button, which can cause serious problems in real conditions.
In summary, the initial disappointment with Flipper Zero quickly passed. The device is evolving as a platform and is now worth more than it was a few years ago. It is important to realistically evaluate its possibilities and limitations without perceiving it as a panacea.
The main purpose of this information is to show the importance of understanding possible threats to ensure that security systems are properly protected.
Flipper Zero allows pentesters to discover and exploit vulnerabilities in access and security systems, such as RFID and NFC passes, radio buttons, and other wireless protocols. Knowledge of these techniques helps system defenders more effectively identify and remediate vulnerabilities in their systems.
Therefore, the use of tools such as Flipper Zero aims to increase awareness of potential threats and develop effective protection strategies, which is a key aspect in the field of cyber security.