Flipper Zero is a portable hardware-hacking multi-tool, shaped like a tamagotchi, that packs a sub-1 GHz radio, 125 kHz RFID read and emulation, 13.56 MHz NFC, infrared, GPIO, iButton and USB keyboard emulation into a single device. It grew out of a 2020 Kickstarter campaign, runs open-source firmware and has become the reference gadget for hobbyists and Red Team operators working the physical layer alike. For a security manager, though, what matters is not the dolphin on the screen but that a device costing under 200 euros can clone an employee access card in seconds or inject keystrokes into an unattended corporate workstation.
This guide explains what Flipper Zero is from an offensive, technical point of view, what each of its radios is for, the concrete physical-security risks it poses to a company and, above all, how to detect and defend against it. This is not shop or hobby content: it assumes a legal framework, explicit authorisation and professional use inside a pentest or Red Team engagement.
What Flipper Zero is
Flipper Zero is a hardware-pentesting platform built around an STM32WB55 microcontroller, a dual-core SoC (an ARM Cortex-M4 for the application and a Cortex-M0+ for the Bluetooth Low Energy radio stack). Around it sits a set of dedicated transceivers that give it access to several wireless and contact protocols used every day in access control, home automation and automotive systems.
The key thing to understand is that it is not a magic device. Flipper Zero does not break modern encryption or AES: its danger comes from the fact that much of the real world's physical infrastructure still runs on 1990s technology with no cryptographic authentication. The Flipper simply puts that fragility within anyone's reach, through a convenient interface and without any need to solder or write code.
What it does: technical capabilities
Sub-1 GHz radio (CC1101)
The CC1101 transceiver gives it access to the sub-1 GHz bands used by garage remotes, parking barriers, industrial remotes and a host of IoT devices (roughly 300 to 348 MHz, 387 to 464 MHz and 779 to 928 MHz). Flipper can read, save and replay signals. Against fixed-code remotes the replay attack is trivial: you capture the signal and play it back. Rolling-code systems (KeeLoq and similar) resist simple replay, although they have been the subject of documented cryptographic attacks since 2007.
Low-frequency RFID (125 kHz)
This is one of the most serious risks for businesses. Many corporate access cards are still 125 kHz: EM4100 (EM-Marin), HID Prox and Indala. These technologies have no authentication or encryption whatsoever: the card broadcasts a static identifier in the clear. Flipper Zero reads it from a few centimetres away and emulates it instantly, presenting itself to the reader as if it were the original card. Cloning a badge of this kind is a matter of seconds.
High-frequency NFC (13.56 MHz)
With its NFC chip (ST25R3916) Flipper handles 13.56 MHz cards: MIFARE Classic, Ultralight, NTAG and other ISO 14443 types. MIFARE Classic is particularly relevant because its proprietary Crypto-1 cipher has been broken since 2008: with nested-style attacks and utilities such as mfkey32/mfkey64 the sector keys are recovered and the card is cloned in full. By contrast, MIFARE DESFire EV2/EV3, which uses AES, cannot be cloned this way, and that is precisely where the defensive line sits.
Infrared, GPIO and iButton
The infrared transceiver turns the Flipper into a universal remote: it learns and replays codes from televisions, projectors, air conditioners and other meeting-room equipment. The eight GPIO pins (3.3 V) enable UART, SPI and I2C for hardware debugging, firmware dumping or connecting external modules (for example a WiFi board with an ESP32). The iButton/1-Wire reader covers the Dallas contact keys still common in intercoms and lifts.
BadUSB and HID
Connected over USB, Flipper Zero presents itself to the computer as a keyboard (an HID device). This enables BadUSB attacks: it runs DuckyScript payloads that type commands at machine speed, open a PowerShell session, download a payload or create a local user. Because the system sees it as a keyboard and not as mass storage, controls that block USB sticks do not stop it. It is the same threat family as a hardware keylogger, but in reverse: instead of capturing, it injects. To understand why the same hardware weaknesses recur across connected devices, see our piece on IoT and OT cybersecurity.
Official firmware and community forks
The official firmware honours regional transmission restrictions and limits certain features. The community maintains forks (Unleashed, RogueMaster, Momentum) that remove those limits and add key dictionaries, more sub-GHz protocols and offensive utilities. For a defender, the practical takeaway is that you should not assume the stock behaviour of the device: any minimally motivated attacker will use modified firmware with expanded capabilities.
Real risks for companies
Cloning employee access cards
The most underestimated vector. An attacker does not need to steal the card: it is enough to bring the Flipper close to an employee's wallet or pocket in a lift, a coffee shop or a queue, or during classic tailgating. If the badge is 125 kHz or MIFARE Classic, it gets cloned. From there the intruder walks in through the front door like any other employee. This attack combines naturally with social engineering, which handles the physical approach and the pretext for being in the building.
Keystroke injection (BadUSB) on corporate machines
An unattended machine with an open session, or even a locked one if the attacker knows credentials, is enough. In seconds the Flipper types a payload that establishes persistence, exfiltrates data or opens a command-and-control channel. It is fast, silent and leaves none of the trail of an executable copied to disk.
Sub-GHz remote replay
Parking barriers, loading-dock doors and fixed-code remotes are vulnerable to capture and replay. In a logistics warehouse or a corporate car park, opening a barrier means clearing the perimeter without passing reception.
How to detect and defend
Defence is fundamentally about architecture, not about spotting the gadget itself:
- Migrate access control to cryptographic credentials. Replace 125 kHz Prox and MIFARE Classic with MIFARE DESFire EV2/EV3 (AES), HID Seos or mobile credentials with a secure element. Authenticate the card cryptographically, not just by its UID.
- Replace Wiegand with OSDP Secure Channel. The Wiegand protocol between reader and controller travels in the clear and can be intercepted with implants such as ESPKey or BLEKey (Bishop Fox, DEF CON 2015). OSDP v2 with Secure Channel encrypts and authenticates that link.
- Control USB at the endpoint. Apply device control with an allowlist of HID devices, attack surface reduction (ASR) rules on Windows, automatic screen locking and tools that detect keystroke injection by anomalous typing speed. The EDR should alert on PowerShell launched from interface processes or on local user creation.
- Harden the sub-GHz radio. Use rolling-code or encrypted remotes for barriers and access points, never fixed code.
- Reinforce physical controls. Turnstiles and anti-tailgating mantraps, RFID sleeves for badges, and specific awareness about device proximity.
- Bring the physical layer into scope. A Red Team engagement that covers card cloning and physical intrusion validates these controls before a real attacker does.
For a normative reference, NIST SP 800-116 (PIV physical access control), the PE controls in NIST SP 800-53 and the physical-security domain of ISO 27001 (Annex A.7) set the bar any serious organisation should meet.
Honest limitations of Flipper Zero
It deserves demystifying. Flipper Zero does not break AES or modern rolling code, does not clone DESFire cards or bank EMV chips, does not do WiFi without an external board and has a range of centimetres on RFID and NFC: it requires real proximity. Its strength lies in exploiting legacy, insecure technology, not in defeating solid cryptography. That is also the good news for defenders: modernising credentials and links neutralises most of its offensive capabilities in one stroke.
Legal framework
Owning a Flipper Zero is legal. Using it against third-party systems without authorisation is not: it can amount to unlawful access to information systems or computer damage, alongside data protection implications. Any professional use must sit inside a contract with express authorisation, defined scope and rules of engagement, exactly like any other penetration test.
Frequently asked questions
Is it legal to buy and own a Flipper Zero?
Yes. Purchase and possession are legal. What the law targets is unauthorised use against systems you do not own, which can amount to unlawful access or computer damage offences. In a professional context it is always used with written authorisation from the client.
Can Flipper Zero clone any access card?
No. It easily clones cards with no encryption (125 kHz EM/HID Prox) and MIFARE Classic, whose Crypto-1 cipher is broken. It does not clone MIFARE DESFire with AES, HID Seos or modern credentials with a secure element.
Is it good for hacking WiFi or cracking passwords?
Not out of the box. The Flipper has no WiFi radio of its own; it needs an external board (for example with an ESP32) and, even then, it does not break strong encryption. Its territory is RFID, NFC, sub-GHz, infrared and BadUSB.
How do I protect my company from badge cloning?
Migrate to cryptographic credentials (DESFire EV2/EV3, Seos or mobile), authenticate cryptographically rather than by UID, replace Wiegand with OSDP Secure Channel and add anti-tailgating controls. Validate it with an offensive exercise that includes the physical layer.
Does antivirus detect a Flipper BadUSB attack?
Not directly, because the device presents itself as a keyboard. Effective defence is HID device control, ASR rules, automatic screen locking and an EDR that correlates anomalous behaviour (unexpected PowerShell, user creation) after a peripheral is connected.
Related resources
- What is social engineering: the natural companion to physical cloning, which handles building access.
- What is a keylogger: the other side of hardware manipulation on the endpoint.
- IoT and OT cybersecurity: why the same hardware weaknesses recur across connected devices.
- What is a Red Team: the framework where physical security is genuinely tested.
- Penetration testing vs Red Team: when each approach covers the physical attack surface.
Physical security with Secra
At Secra we include credential cloning, BadUSB injection and physical intrusion inside our Red Team engagements, not just application and infrastructure pentesting. We assess the real technology behind your readers and cards, measure how far an attacker with a Flipper Zero in their pocket can get and deliver a prioritised remediation plan (credential migration, OSDP, USB control and anti-tailgating measures). If you want to know how exposed your access control is, write to us via contact or check our pentesting service.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

