Despite Amazon Ban, Flipper Zero's 'Multi-Tool Device for Hackers' On Track for $80M in Sales (techcrunch.com) 80
The company behind Flipper Zero expects $80 million in sales this year, which ZDNet estimates at around 500,000 unit sales.
In its Kickstarter days the company sold almost $5 million as preorders, remembers TechCrunch, and the company claims it sold $25 million worth of the devices last year: So what are they selling? Flipper Zero is a "portable gamified multi-tool" aimed at everyone with an interest in cybersecurity, whether as a penetration tester, curious nerd or student — or with more nefarious purposes. The tool includes a bunch of ways to manipulate the world around you, including wireless devices (think garage openers), RFID card systems, remote keyless systems, key fobs, entry to barriers, etc. Basically, you can program it to emulate a bunch of different lock systems.
The system really works, too — I'm not much of a hacker, but I've been able to open garages, activate elevators and open other locking systems that should be way beyond my hacking skill level. On the one hand, it's an interesting toy to experiment with, which highlights how insecure much of the world around us actually is. On the other hand, I'm curious if it's a great idea to have 300,000+ hacking devices out in the wild that make it easy to capture car key signals and gate openers and then use them to open said apertures.
The company points out that their firmware is open source, and can be inspected by anyone.
ZDNet calls it "incredibly user-friendly" and "a fantastic educational tool and a stepping stone to get people — young and old — into cybersecurity," with "a very active community of users that are constantly finding new things to do with it". (Even third-party operating systems are available).
"Instead of looking like some scary hacking tool, all black and bristling with antennas, it looks like a kid's toy, all plastic and brightly colored," writes ZDNet. "It reminds me of Tamagotchis..."
Thanks to Slashdot reader ZipNada for suggesting the article.
In its Kickstarter days the company sold almost $5 million as preorders, remembers TechCrunch, and the company claims it sold $25 million worth of the devices last year: So what are they selling? Flipper Zero is a "portable gamified multi-tool" aimed at everyone with an interest in cybersecurity, whether as a penetration tester, curious nerd or student — or with more nefarious purposes. The tool includes a bunch of ways to manipulate the world around you, including wireless devices (think garage openers), RFID card systems, remote keyless systems, key fobs, entry to barriers, etc. Basically, you can program it to emulate a bunch of different lock systems.
The system really works, too — I'm not much of a hacker, but I've been able to open garages, activate elevators and open other locking systems that should be way beyond my hacking skill level. On the one hand, it's an interesting toy to experiment with, which highlights how insecure much of the world around us actually is. On the other hand, I'm curious if it's a great idea to have 300,000+ hacking devices out in the wild that make it easy to capture car key signals and gate openers and then use them to open said apertures.
The company points out that their firmware is open source, and can be inspected by anyone.
ZDNet calls it "incredibly user-friendly" and "a fantastic educational tool and a stepping stone to get people — young and old — into cybersecurity," with "a very active community of users that are constantly finding new things to do with it". (Even third-party operating systems are available).
"Instead of looking like some scary hacking tool, all black and bristling with antennas, it looks like a kid's toy, all plastic and brightly colored," writes ZDNet. "It reminds me of Tamagotchis..."
Thanks to Slashdot reader ZipNada for suggesting the article.
License Violations Galore! (Score:4, Informative)
Re:License Violations Galore! (Score:4, Informative)
Re:License Violations Galore! (Score:4, Insightful)
Their community gives so many good laughs like: "If I can see the code, it's open source."
Uh yeah, that's what open source is, the license lets you see the code. Some open source licenses give you more rights than that, and some don't. You do know people were opening their source and calling it open source before the OSI existed, right?
Re: (Score:3)
Their community gives so many good laughs like: "If I can see the code, it's open source."
Uh yeah, that's what open source is, the license lets you see the code. Some open source licenses give you more rights than that, and some don't. You do know people were opening their source and calling it open source before the OSI existed, right?
Perhaps there's a previous definition of open source that doesn't include copyleft, but the current definition certainly does.
If their community is taking code with incompatible licenses and dropping it into their GPLv3 code base then it is a problem.
I suspect the company is adopting a "if the right-holder complains we'll take out that bit" approach, but I'm not certain that's enough to protect them from lawsuits.
Re: (Score:2)
If someone modifies my code and uses it to break a license, how am I responsible for it? If someone abuses a tool I create and then I get charge for it, a couple of companies are in really hot water.
Re: (Score:2)
If someone modifies my code and uses it to break a license, how am I responsible for it? If someone abuses a tool I create and then I get charge for it, a couple of companies are in really hot water.
It sounds like Flipper is distributing the code, so if they know what's going on they could be guilty of deliberately infringing the licenses.
Re: (Score:2)
Their community gives so many good laughs like: "If I can see the code, it's open source."
Uh yeah, that's what open source is, the license lets you see the code. Some open source licenses give you more rights than that, and some don't. You do know people were opening their source and calling it open source before the OSI existed, right?
Perhaps there's a previous definition of open source that doesn't include copyleft, but the current definition certainly does.
Open source is separate from copyleft, IMHO. While people may have made the two synonymous do to common usage, they aren't. You can retain the copyright and still allow people to see the source and even use it without allowing for modifications or redistribution. That was as true previously as it is currently. I'll give you a personal example. I wrote some small bits of code for a project I did for a client. At the end of the project, I gave them the product and walked hem through the code so they cou
Re: (Score:2, Troll)
Perhaps there's a previous definition of open source that doesn't include copyleft, but the current definition certainly does.
That redefinition was done by the OSI, which based their right to do it on the idea that one of their own had invented the term, which was in use over a decade before they claim to have invented it. The OSI also wanted to copyright "Open Source" and we could have had a SCO-level battle over that but thankfully their chief counsel advised against it. Even after that, though, their leading lights regretted not trying to trademark it.
All of which, by the way, was actually an attack on and not an endorsement of
Re: (Score:3)
Re: (Score:2)
Link error (Score:3, Insightful)
It is ZDNet so the correct link is probably worthless too.
The Ban is hilarious (Score:4, Insightful)
It's so popular to ban things people (especially politicians and CEO's, with zero technical knowledge) don't understand.
And yet Amazon sells ESP 32, 8266 etc. Mobile-phone-all-in-one-sim-imei chips, wifi modules, RFID readers, cards and everything you need to take 1 hour or less to assemble with very little skills, some open source library, and hey presto - you have a way more powerful device than Flipper Zero is.
Re:The Ban is hilarious (Score:4, Interesting)
There is a clear and obvious right answer to the problem of easily-accessible hacking tools like this:
Better security in wireless products!
That's it. The industry is full of freely-available and mature knowledge about how to code systems to be secure. These solutions are totally within reach of every manufacturer who makes any kind of wireless or online product. They are absolutely without excuse for the sad state of security.
But they don't like this right answer because it costs them time and money. They want to go cheap, rely on bad security practices like security-through-obscurity because the people making the decisions don't understand why that's unreliable. Or they just want to outright stick their head in the sand and not even make so much as a respectful nod in the direction of security.
And then when stuff like this comes out they say "make it illegal! Problem solved."
Nope, not by a long shot.
Re:The Ban is hilarious (Score:4, Interesting)
No no, the answer isn't better security in wireless products, it's "no more wireless products used for security"
I don't know why all these idiots insist on making "wireless" remote-entry crap.
And before any nitwit politician gets any ideas, if you start banning this stuff, you will no longer have "remote-entry" built into your car. No keyfobs for your car, no keyfobs for your garage door, you car won't be able to open your garage door, etc.
The only reason any of the existing shit works is because it lacks security. If it had any security features at all, you would be ripping everything out every time you lost a keyfob. This is why after-market keyfobs are generally better in that sense, no kiddie with a fob emulator can get into your car/condo.
You know how most enterprise key-less entry systems work? There is a RS422 serial port-to-usb emulator plugged into something like a Windows XP machine somewhere in the building. When the power goes out, so does your keyless entry system.
And what about multiple tenants in the same building? One card for the main entrance, and one for the unit, operated by a different system.
Like I said, the problem is this shit implicitly does not have security because if does, you lose one card, and you rip everything out. Yes you can blacklist individual cards on the enterprise systems, but that is up to the tenants to tell the building manager to do so, which they won't. Which is why the tenants without their own keyless entry system based on the same tech get broken into.
Lose one card, and now everyone in the building is vulnerable.
This flipper isn't even necessary. Just piggy back into the building with someone coming in the front door. Most people are not observant.
Anyways. The human factor is the biggest problem.
Now... how do we keep from "script kiddies" with these tools from breaking into things for fun? Well the easy solution is you put a shitty masterlock on things you don't want accessed in seconds, that will then require them to have also acquired the lockpickinglawyer's tools he sells on his website, or make your own with the plans for them.
Server rooms, the individual cages should be mechanical locks for precisely this reason. It doesn't have to be a good lock, it just has to be something that discourages the kiddies from accessing YOUR server. The same goes for pretty much anything where the keyless entry is a convenience but you don't actually need it.
Like I kid you not, go on the lock picking lawyer's youtube and try to find a lock he can't open in under 30 seconds. NO mechanical lock, alone, is good enough to keep a determined person out, but ANY mechical lock is better than no lock. Most keyless entry locks are stupidly weak (as in "slide a wire through the tiny hole and lift up the locking mechanism, weak) especially those on safes. And as seen on "Storage Wars", the fastest way into a safe is to just chuck it at the concrete.
Re: (Score:2)
Heard it all before. "Why are you connecting your computer to the internet? Do you just plug into any random network?"
Turns out being able to remotely open the garage door when you get home is actually quite a nice quality of life upgrade. We know how to make it secure, just like we know how to secure computers connected to the internet.
Flipper Zero is like the first big internet worm. It will take a while but people will start to value security and lifetime support.
Re: (Score:2)
Nope. They won't. Cheap will always trump secure, because cheap is something you notice at the point of sale, security only after the disasters happens.
Re: (Score:2)
Indeed. Security is a "non-functional" requirement. Most people have trouble understanding what their point is. "It works, what else do I need to care about?" and the like.
One example I use for students is that of a bottle of nitroglycerine used as a paperweight as its primary purpose. Makes it clear that behaviors outside of the specified core ones may be really important.
Re: (Score:2)
As if on cue, I currently have exactly this discussion about how to try to raise user "awareness" for security and privacy.
My position is that it's pointless to try, and we need a different approach.
The key problem is, they don't care. Moreover, they don't understand why they should care. They may understand that it's important to keep their online banking secure and it's also possible to explain in simple terms why they should not post their vacation plans onto Facebook, but it ends there. As soon as anyth
Re: (Score:2)
That sums the issue up nicely. For experts I expect more and this discussion here is about a tool that can get you jailed if used in some fashions, so I would say it should be seen as a tool for experts.
But for ordinary users, they do not care about the details of tech and they are right not to care. Hence whatever they use must follow established safety-engineering principles. One core principle in safety engineering is that doing unsafe things must be a lot harder than doing the safe alternatives in any g
Re: (Score:2)
Did your wheelchair-Goebbels get his wish of outlawing any and all "hacking tools"? I didn't follow up on this, but last I checked, Schröder back when he was minister for the interior in Germany tried to ban "hacking tools" because they allowed people to "hack"?
It's pretty rare that I get to think foreign politicians are even more inapt and insane than ours... then again, you have AfD, we have FPÖ, who am I to complain...
Anyway.
In a corporate environment, you can actually ensure safety. It require
Re: (Score:2)
You may note that I wrote "a tool that can get you jailed if used in some fashions", which does not refer to possession, but, for example, violating wiretapping laws.
It is true that in some countries mere possession can be illegal, unless for educational or research purposes. I have no idea how you demonstrate that you got it for research purposes though unless you have, say, an on-topic PhD (I do) or a job in the area (I do). You are certainly allowed to do your own research or (self-)education without any
Re: (Score:2)
Yes, it's possible to secure wireless access. Just because something is wireless doesn't make it easier to break than a wired connection, just like something being put "on the internet" doesn't make it easier to break than if it's just connected to your local network. All that changes is the size of the attack surface and it's easier to get to the target. That doesn't make the target any more or less secure per se.
A lock does not become any more secure by putting a security guard in front of it. Yes, it's h
Re: (Score:2)
Of course wireless access can be secured. It just takes some actual skill an insight and an approach that is not driven by terminal greed.
The lock example is a good one. One look at the YouTube channel of the "Lock Picking Lawyer" shows how many crappy locks are out there and how an expert can still get into pretty decent locks with minimal effort. But the number of locks were the verdict is "accessible to an amateur with basics tools" for a non-destructive opening is staggering.
Re: (Score:2)
I don't even think that it's terminal greed. I had the "joy" of experiencing the problem first hand when consulting a manufacturer for smart TVs.
You have a bunch of engineers who excel at making TVs. That's what they're good at. Some of them have been designing and building TVs since the times when CRTs were the rage. They're good at that. In comes marketing and says that everything has to be "on the internet" today, and so do those TVs. First because it's one tick in a checkbox at the big box stores, and s
Re: (Score:2)
You do have a point and I am _not_ accusing the EEs of greed here at all. I accuse management that made the decision to impose that inane deadline and to not actually get outside expertise for the question before forcing their people to work on something they are not experts on. And yes, it is also market pressure and sometimes outright panic that causes these things. And some companies simply need to die because they failed to prepare for changes early or cannot adapt. These usually do quite a bit of damag
Re: (Score:2)
The accusation of management with greed is very likely spot on.
The engineers are in the pickle of having to do a job they never did, never learned and never wanted to do. And of course they wouldn't hire anyone knowing how to do it because hey, that costs money!
For the record, I was later (through less-than-official-channels) informed that all my recommendations were effectively canned because they essentially meant to scrap the crap and reimplement it from scratch, and that was too expensive. Instead, they
Re: (Score:2)
Yep, that TV job sounds like a real shit-show. Another reason why we need liability, they clearly were more than grossly negligible. Incidentally, I have a similar story, but cannot even tell you what industry that was in due to NDA. That enterprise does not exist anymore. This crap happens wayyy too often.
Re: (Score:2)
It's so popular to ban things people (especially politicians and CEO's, with zero technical knowledge) don't understand.
And yet Amazon sells ESP 32, 8266 etc. Mobile-phone-all-in-one-sim-imei chips, wifi modules, RFID readers, cards and everything you need to take 1 hour or less to assemble with very little skills, some open source library, and hey presto - you have a way more powerful device than Flipper Zero is.
There's a lot of people without the skills to pull that off. Sure, just follow the guide online, but which guild online? And what do they do when a library doesn't build or some other random bug pops up?
There's a reason people are buying security cameras, baby monitors, sprinkler timers, and smart home hubs, instead of just getting Raspberry Pis and building their own. Making a polished easy-to-use product can massively increase the user base.
Re: (Score:1)
Re: (Score:2)
Well, if you cannot follow step by step instructions [spacehuhn.com], most such projects now also have a store where you can buy the complete tool [spacehuhn.store].
In the end, it's simple enough. And if you can't figure out how to compile and flash a ready-built arduino sketch for a specific (and even easy to source) piece of hardware, well, you probably also don't know how to use it.
Re: (Score:2)
Well, if you cannot follow step by step instructions [spacehuhn.com], most such projects now also have a store where you can buy the complete tool [spacehuhn.store].
In the end, it's simple enough. And if you can't figure out how to compile and flash a ready-built arduino sketch for a specific (and even easy to source) piece of hardware, well, you probably also don't know how to use it.
Ok, that potentially lets me muck around with my (or someone else's wifi), and maybe their wifi door lock, unless it's bluetooth, not wifi, and I need another tool. Same with the garage door. And it's a DOS vulnerability, can that be leveraged into access or am I just being annoying?
If I'
Re: (Score:2)
My take is Amazon is actually justified in the ban, because they may run into legal problems otherwise. Selling attack tools to the general public is illegal in a number of countries. There is usually an exception for experts and for science and teaching, but Amazon cannot reasonably verify whether anybody qualifies.
On the other hand, this could likely have been sold without firmware and just a basicl loader anywhere and then people need to download the firmware independently from Amazon. Makes warranty a p
So...Amazon isn't important (Score:2)
Re: So...Amazon isn't important (Score:2)
I think the Amazon ban significantly boosted their sales. They could not have bought a better advertising campaign.
cost vs risk vs fun (Score:2)
My previous DC apartment used similar key FOBs, although they were round pins that had to be inserted into a hole. I wonder if Flipper is capable of emulating such a key and transmitting through the hole. Seems highly likely.
So it's easy to break security; DO SOMETHING GUYS (Score:5, Insightful)
It's time for companies to be on the hook when their security is trivial to break. Car makers get held responsible for mechanical crassitudes; time tech companies did as well.
Re: (Score:1)
Indeed. Most people and companies get attacked successfully because it is so pathetically easy to do. MicroCrap has a large part of the responsibility for that, but Google does too.
Long overdue (Score:2)
>> It's time for companies to be on the hook when their security is trivial to break.
Yep. Very long overdue.
I once developed car key HW, and EVERYONE in the industry knew that keyless fobs had an inherent physical weakness, allowing relay attacks.
No one didreally anything else about it than waiting for a better techno to be available (UWB) to protect efficiently against relay attacks
Gotta sell cars, right ?
Now, security improvements are long overdue.
Does it work on... (Score:2)
Purely mechanical locks, like a sonic screwdriver, or only on electronic stuff?
Re: (Score:2)
If you shoot it at that mechanical lock with a cannon, it probably can break that physical lock.
Doubling the attack surface (Score:2)
The worst thing you can do is to have both. Worst for security.
If you want to enter your house or car when having no electricity, doubling the attack surface is pretty inevitable.
Looks like something a laptop can do (Score:3)
With a few extra components and Linux as OS, but no need for hardware modifications. No idea what the people buying this hope to get there.
Re:Looks like something a laptop can do (Score:4)
They hope to have something more portable, that fits in their pocket, and that they can whip out anywhere.
Re: (Score:2)
In exchange for a crappy interface and a high price tag? Well, people in general _are_ stupid....
Re: (Score:2)
If you're trying to convince a C-Level of something, pulling out something from your pants to show off is usually far more impressive to them than a dry presentation of the technicalities.
Wait, that didn't come out the way it should...
Re: (Score:2)
Well, if you need to pull something out from your pants (or from your blouse for the ladies) in order to make a presentation not dry, you are doing it wrong...
Re: (Score:2)
Most laptops don't have a sub 1Ghz radio in them. You could add one, but this is a cheap script kiddie device that is much easier to hide and use covertly then a laptop.
Re: (Score:2)
I wouldn't mind a clone of the Flipper, but in the form factor of a USB dongle containing the RF modules, then just use the screen of the USB host instead of the little one on the Flipper . This would also get around the Amazon ban.... at least until it becomes popular enough to get noticed.
Re: (Score:2)
I actually designed exactly that, a simple USB dongle with CC1101 radio module (or optionally two of them). It was for a home sensor/automation project. The files are sitting on my HDD waiting for me to have time to do something with them.
If I had known there was commercial demand I'd have done something with them sooner.
Re: (Score:2)
You'd be surprised what there is commercial demand for. Hint: As long as it has USB, Bluetooth and/or is a sex toy, there is commercial demand for it.
Re: (Score:2)
Damn it, another million dollar idea I didn't develop.
Years ago I was using some gas sensors at work. Could have been the next Elon Musk with my idea for a Rate my Fart app.
Seriously though, I think I might re-work this CC1101 dongle to be a bit more flexible. I was using an XMEGA chip, but ARM is more popular. Maybe an STM32. I keep meaning to play with Microchip SAM, but since they are killing of Atmel Studio in favour of their own Eclipse based IDE one of the big advantages over ST is gone. Their periphe
Re: (Score:2)
I did. I'm not proud of it, but I did.
The thing you do for money.... and to make lonely subs happy...
Re: (Score:2)
That makes a lot more sense. And you get these at around $3 on aliexpress including shipping. Add an USB-to-SPI interface for about the same price and a voltage regulator and the rest is software.
Re: (Score:2)
A few people are adding the CC1101 to the Flipper, apparently it has some features that are lacking on the radio built-in to the Flipper: https://www.tindie.com/product... [tindie.com]
But yeah, I'd still be interested in a CC1101 dongle without a screen...
Re: (Score:2)
I'm not sure what that thing you linked to is, but the Flipper Zero has a CC1101 built in as the primary sub-1GHz radio. It's a fairly flexible device in terms of the frequencies and modulations it supports.
Re: (Score:2)
I'm not sure what that thing you linked to is, but the Flipper Zero has a CC1101 built in as the primary sub-1GHz radio. It's a fairly flexible device in terms of the frequencies and modulations it supports.
The Mayhem is an add-on module for the Flipper Zero, to add wifi and some more RFID features.... But yes, now that I read the Flipper's specs I see that it has the CC1101 on board too. Now I'm confused, I can only guess that the intention of the add-on was to improve RF performance over the built-in hardware. I also see that the Mayhem module is available with the NRF24 module instead of the CC1101. apparently this does add some features to the stock Flipper, e.g mousejacking.
Hackaday had a writeup recently
Re: (Score:2)
So it is targeted at small-time criminals? Because a legitimate red-team member will not have problems with adding that radio externally.
Yes, that makes sense. Also may make possession illegal in some countries.
Clunky. (Score:2)
Laptop is too clunky in field situations.
Use a phone or tablet instead.
Re: (Score:2)
Depends on what you are doing. I have done war-walks with a laptop because it was needed and a tablet or phone would not have cut it. But even with a telefone or tablet, there is still no need for this thing.
'Getting into cyber-security,' riiight... (Score:2)
Re:'Getting into cyber-security,' riiight... (Score:5, Insightful)
They clearly mean cyber-tresspassing and cyber-theft. There is no other reason to buy these.
That's like saying that there's no reason other than theft to own lock-picking tools, drills, hammers, and pry-bars.
Flipper Zeros might also be used for testing vulnerabilities - presumably prior to hardening - in devices one owns or is developing. And some people will use it when they've lost a fob or forgotten code.
Also, many if not most manufacturers of the type of kit one can use a Flipper on make security an afterthought, if they think of it at all. The wide availability and low barrier to entry that the Flipper Zero represents might force them to take security seriously - and that would be a very good thing.
Re: (Score:2)
As far as I know when these cyber devices need reset because you lost the password or remote key fob you call their tech support or throw them in the trash (because there is no tech support). If it was for a car you call the dealer, which an authorized outlet to replace the key fob or reset the security pin.
These have one intended purpose, and it is not to be lawful. Even you bought
Re: (Score:2)
We absolutely need tools like this to push lock manufacturers (digital and physical) to improve their game. If not, they will continue to make security solutions that can be bypassed quickly by people in the know. That doesn't just mean thieves. This is a benefit to society at large..
Re: (Score:2)
I work in IT-security (I tend to avoid the word "cyber", it usually gets you sneers from your peers in this field), and yes, I have a Flipper. Well, the company paid for it, I think it's a wee bit overpriced for what it offers. But it's a very useful tool for presentations. First, it's "cute". It doesn't look in any way threatening, it's not a laptop or a cellphone, both tools the average manager is familiar with and thus, on a purely psychological level, doesn't identify as a threat. You'd be amazed just h
Testing feels more accurate than hacking. (Score:3)
If you don't know what you're doing, or even trying to do... you're not "hacking". You're just messing with buttons.
Re: (Score:2)
"Hackers" is a very broad term and does include people who do not understand how the technology works, but understand how to apply it in a particular situation. A lot of hacking is "tech + domain knowledge + social manipulation"
Actually that might be a good definition of all successful hacking attacks these days. And it did not include the phrase "technical expert"
How about... (Score:2)
...bringing a plane down?
Re: (Score:2)
Why ?
Re: (Score:2)
It's not 'why', it's 'how'.
Re: (Score:2)
How has been clarified a long time ago.
Why is a still open question.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
You monster!
I bought one... (Score:2)
It includes a number of things I have wanted for a while. I don't have a need to use it for anything nefarious, but interesting to see what it can do.
Security through Obscurity (Score:2)
If the only security your device has is that it's hard to see the sensitive data without special tools, then you really have no security at all. The Flipper does nothing more than any SDR with a competent person behind the keyboard. You can even build your own with little fanfare or fus