Across the US, countless buildings, from government offices to your next hotel room door, are protected by RFID-controlled locks. On a recent trip to my office, I passed nearly 20 of these keyless entry systems, which are among the most pervasive in the world. But a playful palm-sized gadget with a Tamagotchi-like interface can likely thwart the locks on many of these doors.
The $200 device is called Flipper Zero, and it’s a portable pen-testing tool designed for hackers of all levels of technical expertise. The tool is smaller than a phone, easily concealable, and is stuffed with a range of radios and sensors that allow you to intercept and replay signals from keyless entry systems, Internet of Things sensors, garage doors, NFC cards, and virtually any other device that communicates wirelessly in short ranges. For example, in just seconds, I used the Flipper Zero to seamlessly clone the signal of an office RFID badge tucked safely inside my wallet.
If you had only heard about Flipper Zero through TikTok, where the tool has gone viral, you might think that it was a toy that could make ATMs spit out money, cars unlock themselves, and gas spill out of pumps for free. I spent the last week testing one to determine whether the world was as vulnerable to Flipper Zero as social media made it out to be. What I found was mixed: Many of the most dramatic videos posted to TikTok are likely staged—most modern wireless devices are not susceptible to simple replay attacks—but the Flipper Zero is still undeniably powerful, giving aspiring hackers and seasoned pen-testers a convenient new tool to probe the security of the world’s most ubiquitous wireless devices.
In reviews, people liken Flipper Zero to a Swiss Army knife for physical penetration testing. But in my week testing Flipper Zero, it felt more like a blacklight—something I could literally hold up to a device that would reveal information, invisible to the human eye, about how it worked, what data it was emitting, and how often it was doing so.
Here’s a brief list of some things I’ve learned with the help of Flipper Zero this week: Some animal microchips will tell you the body temperature of your pet. My neighbor’s car tire pressure sensor leaks data to anyone in range of the signal. My iPhone blasts my face with infrared signals every few seconds. My home security system has built-in signal-jamming detection. WIRED’s office bathroom has a soap dispenser that broadcasts whether it needs a refill.
When I told Alex Kulagin, one of Flipper Zero’s co-creators, about my experiences using his tool to make these kinds of mundane observations, he explained that this is exactly what the device is meant for. “We want to help you understand something deeply, explore how it works, and explore the wireless world that’s all around you but difficult to understand,” he says.
Kulagin and his business partner, Pavel Zhovner, first came up with the idea for Flipper Zero in 2019. Since then, their company has sold 150,000 devices and they’ve grown their team to nearly 50 people. But as they’ve grown, they’ve encountered some resistance. This summer, payments of more than $1.3 million were held up by PayPal, and in September, US Customs and Border Patrol seized a shipment of devices. According to Kulagin, CBP released the shipment after a month but has yet to tell the company why it held the shipment. CBP declined WIRED’s request to comment about the seized Flipper Zeros.