The story of Flipper Zero began in 2019 when Alex Kulagin and Pavel Zhovner set about raising funds for their business idea on Kickstarter. The rest is more or less history. Ever since Flipper Zero went viral on Tiktok as a "Tamagotchi for hackers," there was no holding it back. The media have repeatedly associated Flipper Zero with the same potential applications: replicating electronic cash (EC) or credit card data and unlocking cars and hotel rooms. Smartphones can also be unlocked in a matter of seconds. Of course, these are just the applications that make a splash in the media.

These capabilities have also given rise to criticism. In Canada, the device was banned for a time because of its capabilities. The government has since lifted the ban, stating that its use is only permitted by "legitimate actors." The reason for the ban was the possibility of discovering security vulnerabilities in vehicles. The Flipper manufacturer came out on top, however, with the support of the "stop the absurd ban" petition at Change.org [1], arguing that government institutions should focus on forcing vehicle car manufacturers to eliminate security flaws rather than banning the tool that detects them. Amazon had also temporarily stopped selling Flipper Zero. In Brazil, the devices were even confiscated on the grounds that their wireless interfaces did not have official clearance.

None of this fuss has done Flipper Zero any harm; on the contrary, these seemingly helpless attempts to ban hacking tools have helped the Flipper developers attract massive media attention. At the same time, state actors often overlook the fact that even beginners can learn hacking techniques relatively easily with freely available tools such as Kali Linux.

Capabilities

Wireless communications are both a blessing and a curse. Even if basic security is usually in place, the door is often left open to potential attackers – especially when admins fail to adhere to the latest standards and fail to update software. After the successful conclusion of the Kickstarter campaign in 2020, which raised the impressive sum of $4.8 million according to the Hackaday platform [2], an active community has sprung up around this practical device, helping to drive the project forward.

From the media coverage, you might be excused for gaining the impression that Flipper Zero is a master key for Internet-of-Things services, but this is more of a media exaggeration. Flipper Zero has a set of antennas suitable for capturing, storing, cloning, and emulating radio signals. More specifically, the tool supports the following signal types:

• Near-field communication (NFC): Allows NFC signals to be read from bank cards and building access cards.
• 125kHz radio-frequency identification (RFID): Older cards and microchips use this frequency.
• Infrared: Many remote controls use infrared signals.
• Sub-1GHz: Garage door remote controls and keyless remote control systems in particular use sub-1GHz frequencies for communication.

The CC1101 transceiver chip is the beating heart of the Flipper Zero; it supports recording, analyzing, and replaying RF signals from 300 to 928MHz. The user can leverage this ability to hijack remote control systems that do not use a rolling code for authentication and are therefore susceptible to replay attacks. Moreover, the Flipper Zero can read and emulate various RFID cards, record IR signals, or execute transmitted and programmable user data.

The device also acts as a USB-to-UART/SPI/I2C adapter and supports Bluetooth spamming. This low-energy denial-of-service (DoS) attack can be used to crash iPhones and iPads in particular. Devices with iOS 17.2 or newer are less susceptible to this type of attack. Last but not least, Flipper Zero can act as a (wireless) BadUSB, which is an exploit for manipulating the firmware of USB devices.

Flipper uses the FreeRTOS real-time operating system and can also be used as a human interface device (HID) controller to replace, say, PC keyboards or mice. The modular architecture is another highlight, allowing the expansion of the basic system. The WiFi-capable developer board lets you add debugging and firmware update functions to the device.

The board (see the "Modules and Prices" box) is based on the ESP32-S2 microcontroller unit (MCU) with custom firmware that includes Black Magic Debug and CMSIS-DAP – a protocol and interface for programming and debugging microcontrollers – and is built on the ESP-IDF, Espressif's official development framework for the ESP32 series of microcontrollers providing libraries, tools, and sample code for developing applications on the ESP32 MCU. This module lets you flash and debug the Flipper Zero over WiFi or USB cable. The developer board can also act as a USB-to-UART adapter. The UART hardware component supports serial communications and converts data between parallel and serial formats.

Flipper Zero can also be extended to include a video game module on a Raspberry Pi RP2040 microcontroller and opens up additional entertainment and development options. Like the developer board, the module is connected to Flipper Zero by GPIO connections. Even though the Flipper is often referred to as the "Swiss army knife" of penetration testing (pentesting), it is clear in practice that the device, or more precisely its antennas, support a very limited frequency spectrum; the software features are also limited. Software-defined radio (SDR) opens up significantly more possibilities than those used by Flipper Zero.

Reading Out NFC and Testing BadUSB

Flipper Zero is primarily associated with its ability to clone credit cards, open modern vehicles, and break digital security systems. The device has a read mode for typical remote control functions. To read an NFC chip, position the card behind the device, open NFC tab (Figure 1), and execute the Read command. After reading, Flipper presents the result, which you can save and use with the Emulate function to, for example, verify the reliability of blocking cards or sleeves, which are designed to prevent NFC and RFID skimming.

Figure 1: From the main menu, you can navigate to the various function areas.

BadUSB has become a popular attack vector, which explains why you will want to test your IT security's resilience to it. In this mode, the computer regards the Flipper Zero device as a HID. Flipper uses DuckyScript [4] to execute commands on the target system. The BadUSB app requires an installed microSD card, because Flipper Zero stores the data there. That aside, the BadUSB function is easy to use.

Starting at the Main Menu, choose Bad USB , select the payload script, connect the device to the laptop, and Run the script. Flipper Zero has a number of sample scripts that you can use to gain some initial experience. You will find another BadUSB example in the Apps | Scripts menu. The two most comprehensive collections of scripts (e.g., which you can use to read passwords in the scope of a pentest) are available for download from GitHub [5] [6].

Flipper Zero is designed for interaction with a smartphone. During the initial start-up, for example, you need to update the firmware, which you also need to do if you want to use the developer board. From the Flipper app, you can download the update from the App Store or Google Play. The developers also provide qFlipper for macOS, Linux, and Windows in their download area [7]. This app can install updates and control Flipper Zero, as well (Figure 2). Also on offer is an application SDK for developing your own Flipper Zero applications in the form of the micro Flipper build tool (µFBT).

Figure 2: qFlipper is very useful for installing updates or firmware and is ideal as a remote control.

Testing WiFi Security

WiFi network reliability and security is probably high on the agenda for most admins. Flipper Zero can offer valuable services here, but you need both the developer board and to install various add-on components. The plugin board's design is unfortunate: Even a lack of attention can cause damage. Resourceful users might want to use a 3D printer to create a case, and others can pick one up from well-known online sources. Note that the two buttons on the circuit board are for rebooting and resetting.

To use the WiFi adapter to test a wireless environment, you need the Marauder module [8]. Start by unpacking the ZIP archive after downloading. Then things get a little tricky: Press the Boot button on the board and connect the developer board to the USB-C cable of a computer, wait three seconds, then release the button.

Run the flash.bat batch file to pop up the Marauder Flasher script and select option 1. Flash Marauder (no SD mod) to Devboard . You can follow the flashing process on the console. When done, close the console, disconnect the board from the computer, and connect it to your Flipper Zero. You do not need to restart. Once plugged in, the board lights up blue, green, and red in sequence, which indicates that the setup process was error free. From now on, the Marauder module is available under App | GPIO .

Besides the standard firmware, you can install other alternatives to open various additional functions. Some of the more interesting alternatives include Unleashed Firmware [9] and Xtreme Firmware [10]. Both expand the feature set in a useful way; for example, you can add menus, modify animations, and define keyboard shortcuts.

Unleashed also lets you rename the device – an option you do not get with most alternative firmware. The nice thing about these two variants is that they offer a web-based installer. To install, simply browse to the URL and make sure that Flipper Zero is connected to a computer with an Internet connection. The web installer takes care of everything else. The only restriction is that it is only supported by Chrome and Opera. After the download, you can follow the installation process on the Flipper display.

One advantage of the Xtreme firmware is not only a simplified menu navigation but a plethora of additional features that are not included with the standard firmware. The Xtreme firmware proves to be practical for pentesting WiFi networks by creating an Apps | WiFi submenu. Besides Marauder, you will also find the Wardrive and Deauther modules and a WiFi scanner here.

Marauder is easy to use: The Scan item checks the environment for available access points. WiFi station mode is also supported. To attack a specific access point, switch to the List item and specify the number Marauder assigns to the target. Next, go to Select , specify the target with the select -a <target number> command, and tap Save to save the selection. You now have the choice of attacking the access point directly from Attack or recording the data traffic with the integrated sniffer. Flipper saves the recorded data on the microSD card. You can analyze the PCAP file with Wireshark [11] and extract WiFi passwords with hashcat [12].

Given the small size of the housing – Flipper Zero is just 10 cm wide and 4 cm high – it is not surprising that the performance of the integrated antennas is limited. If you want to test wireless connections intensively, you might want to consider purchasing an additional Flipper antenna to improve the transmission and reception performance.