State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

Flipper Zero

NJCCIC Alert

Original Release Date: 1/12/2023

Summary

Flipper Zero is a small, concealable, portable penetration testing tool capable of exploring, copying, intercepting, and replaying signals and protocols communicated in short ranges, including radio protocols, access control systems, and hardware. The popular, in-demand hacking tool went viral on TikTok in late 2022 and can be used as a positive, legitimate, and convenient way for pentesters and curious minds to learn about, access, and dissect signals and protocols.

Demand continues to increase, limiting the supply and causing consumers to engage third-party vendors selling the product at higher costs. Threat actors are leveraging the high demand and low supply by impersonating social media accounts and official Flipper Zero vendor websites to interact with and lure potential customers into paying with cryptocurrency without actually sending them the device. Additionally, most of the posted TikTok videos reportedly may have been staged and provided misinformation, as most modern wireless devices are not vulnerable to simple replay attacks. Furthermore, hacking devices can have limitations. While users were able to read the signal of credit and debit cards, the tool was unable to clone or replay encrypted signals and was therefore unable to make purchases with contactless payment systems. By default, the firmware also prevents users from transmitting on frequencies banned in the country where the device is physically located, and Flipper Zero’s Discord server forbids discussions about alternative firmware with illegal features. Although Flipper Zero reportedly has not been used for criminal activity, it—like other legitimate tools and similar devices—has the potential for intentional misuse and abuse.

Recommendations

The NJCCIC recommends users and organizations educate themselves and others on these continuing potential threats and tactics to reduce victimization. Remain vigilant, keep systems and devices up to date, and maintain cybersecurity best practices, including physical security. Additionally, exercise caution when reading social media posts that may contain misinformation and refrain from responding to or clicking links delivered in communications from unknown or unverified senders. Instead, navigate directly to official, verified websites or apps for requests for information or to make purchases. Further details can be found in the WIRED article and ZDNET article.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.