How the rise of Flipper Zero poses a new threat to IoT cybersecurity
Originally released in 2020, the Flipper Zero multi-tool largely went unnoticed to begin with. However, that has now changed as it has now gone viral on TikTok. Despite the device being marketed to ‘geeks’, ethical hackers, and pen testers as a means of exposing cybersecurity vulnerabilities, TikTokers have been posting videos in their droves that show them using it to play pranks in public.
Through Flipper Zero, amateur hackers and so-called ‘script kiddies’ have turned off electronic menus at fast food restaurants, remotely opened the charging ports on Teslas, and even gone so far as to change the prices on petrol station displays. They have been able to cause all this havoc, and much more besides, simply by aiming the tool at targeting systems – much like you would with a remote control – and pressing a few buttons. A few moments later, and the system they intend to hack is completely at their mercy.
What can Flipper Zero do and what are the dangers?
While it’s likely that much staging went into the production of these videos, and the feats they display couldn’t actually be pulled off so effortlessly in reality, the power of Flipper Zero must not be underestimated. On the surface, the device may appear to be a fairly primitive hacking gadget, but its growing popularity brings with it some potentially serious cybersecurity implications.
Even though it can’t directly hack into every wireless device it’s presented with, the tool is able to read the signals that they emit, allowing it to uncover a considerable amount of information in the process. Equipped with this knowledge, Flipper Zero can then be used to perform a whole host of actions, such as detecting an iPhone’s facial recognition signals and their frequency, reading the signals from a garage door opener, or cloning a card that grants access to a secure building.
Considering this, it doesn’t take much of an imagination to picture some of the potentially dangerous scenarios the device could create if placed in the wrong hands. And that’s the fundamental flaw associated with a gadget like Flipper Zero. While the tool may be marketed to professional ethical hackers for performing important tasks like pen testing, it’s clear that many people with little or no prior hacking experience are using it for their own – often unscrupulous – means. Hence it is very much the metaphorical double-edged sword.
Is Flipper Zero legal?
Flipper Zero itself may be legal, but it has significant potential to be used illegally, even if it is intended to just be “a bit of fun”, and this problem is only likely to grow as the product becomes increasingly ubiquitous. Retailed at around $169 in the US, the uncomfortable truth is that it is democratizing hacking tools such that anyone with the money and inclination to buy one is free to do so, and then use it in whatever way they choose to.
Of course, the developers of Flipper Zero insist that people shouldn’t use the product to tamper with devices or systems that they aren’t permitted to access, but the genie is very much out of the bottle at this point. After all, once everyday people are given the means to commit cyberattacks themselves, it’s very difficult to remove that power from them.
Flipper Zero also supports an app store for exploits. This makes it far too easy for hackers – ethical or otherwise – to share their discoveries, and will inevitably amplify the effect of a discovery. Just as the vast majority of web attacks are based on the black market in reusable, pre-canned exploits and hacker toolkits, we can anticipate the same with IoT attacks.
What are the challenges for OEMs?
The advent of Flipper Zero comes amid an increasingly turbulent cybersecurity landscape. Indeed, recent statistics suggest that there are an average of 5,400 attacks committed per month against IoT devices, and that over seven million data records are compromised on a daily basis.
While many attacks are perpetrated by criminal organizations who are intent on stealing data or causing widespread disruption for a variety of financial and political reasons, Flipper Zero’s rise is indicative of a broader trend. Namely, it and other ‘amateur’ hacking tools extend the ability to easily commit cyberattacks to everyday people, creating a much larger pool of potential threats than ever before. For IoT original equipment manufacturers [OEMs], this is a real problem.
As cyberattacks become even more common and the network of potential hackers grows exponentially, it’s inevitable that the devices OEMs produce will become increasingly vulnerable. Not only does this make the task of ensuring device security especially challenging, but it also threatens to erode consumer trust in IoT. If users can’t be guaranteed that their personal data will be kept safe, they’ll be far less willing to buy connected devices, and OEMs will see their revenues suffer as a result.
Furthermore, if, for example, an automotive OEM gains Type Approval for access to a particular market, but then its technology falls victim to widespread cyberattacks, regulators would be within their rights to withdraw approval. As such, manufacturers could be precluded from selling their products in certain parts of the world, which would not only be harmful to their profits, but their public image also. When placed in these terms, it’s clear that OEMs need to up their cybersecurity game now if they want to protect their devices from the deluge of cyberattacks set to come as tools like Flipper Zero become increasingly mainstream.
Are there benefits of Flipper Zero?
While the concept of hacking tools being in everyone’s pocket is far from ideal, it is not all bad news. The rise of Flipper Zero is building consumer awareness of the vulnerabilities that exist in many devices and the need for robust security. It may well be that one of the legacies that Flipper Zero creates is a consumer appreciation and willingness to pay for brands and devices that support stronger security.
It can also be argued that, if the core mission of Flipper Zero is to help with penetration testing, then its rapid rise to fame is fundamentally achieving that aim, even if it’s not in the way intended by its makers. Ultimately, the videos on TikTok are exposing issues that should be identified through traditional testing and verification processes.
How Trustonic can help OEMs
We appreciate that knowing how to act in order to protect against potential IoT cyberattacks can be challenging for OEMs. However, Trustonic is a provider of the industry leading Trusted Execution Environment [TEE] – an environment for executing code in which those executing the code can have high levels of trust in the surrounding environment. This means we possess both the solution and the expertise to assist manufacturers in implementing the highest level of security into their devices.
Recognized as a gold standard for the consumer IoT sector, our TEE has been certified using the industry-standard Common Criteria Protection Profile defined by GlobalPlatform, and achieved a class-leading EAL5+ certification. To date, the Trustonic TEE has been deployed in over 16 million vehicles, and this number is constantly rising.
As such, the platform sits at the heart of the next generation of secure, connected vehicles. Through the use of its hardware-backed secure environment, the solution can carry out critical operations, such as encryption and biometric authentication, and provide a trusted environment for applications and services.
Flipper Zero isn’t the first amateur gadget of its kind, and it certainly won’t be the last, but it is providing some valuable teachings for those who want to learn how to develop more secure products. OEMs need to prepare themselves and their devices for the inevitable ascension of DIY hackers that’s to come, and provide consumers with the peace of mind that they will need to continue using their products.