Next Article in Journal
Edge AI System Using Lightweight Semantic Voting to Detect Segment-Based Voice Scams
Previous Article in Journal
Emotion Recognition Using Electrocardiogram Trajectory Variation in Attention Networks
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Engineering Proceedings
Volume 123
Issue 1
10.3390/engproc2026123006
engproc-logo
Submit to this Journal
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Proceeding Paper

Exploring the Real Capabilities of the Flipper Zero †

by
Francisco Javier Muñoz-Ruiz
1,
Agustín Javier Di-Bartolo
1,
Fernando Broncano-Morgado
2,*,
Belén M. Ramírez-Gabardino
1 and
Mar Ávila
1
1
Department of Informatics and Telematics Systems, Polytechnic School of Cáceres, University of Extremadura, 10003 Cáceres, Spain
2
Department of Informatics and Telematics Systems, Industrial Engineering School of Badajoz, University of Extremadura, 06006 Badajoz, Spain
*
Author to whom correspondence should be addressed.
Presented at the First Summer School on Artificial Intelligence in Cybersecurity, Cancun, Mexico, 3–7 November 2025.
Eng. Proc. 2026, 123(1), 6; https://doi.org/10.3390/engproc2026123006
Published: 2 February 2026
(This article belongs to the Proceedings of First Summer School on Artificial Intelligence in Cybersecurity)
Browse Figures
Versions Notes

Abstract

Wireless devices are increasingly used today, and the presence of vulnerabilities represents a significant risk to modern security systems. This study analyzes the different functionalities of the Flipper Zero device and its capability to compromise everyday systems. Through various tests and an exhaustive analysis of its infrared, RFID/NFC, sub-GHz, USB, and Bluetooth functionalities, several critical vulnerabilities were identified, such as access credential emulation and interference with remote control signals. These results demonstrate that the device is a highly versatile and useful tool for performing security audits, not only improving traditional testing methods but also opening new possibilities for developing more resilient defense systems. However, it also poses a potential risk if misused for malicious purposes.

1. Introduction

Today, inexpensive and easy-to-use wireless devices are increasingly common, which has made it easier to attempt to manipulate devices in homes and organizations. Flipper Zero condenses into a portable form factor capabilities across IR, RFID/NFC, sub-GHz, USB, and Bluetooth (Figure 1), enabling faithful reproduction of everyday attack vectors while also validating countermeasures within a responsible auditing framework [1].
In this work, within the field of cybersecurity, we present empirical tests that cover cloning and editing of MIFARE Classic 1K cards by exploiting the weakness of the CRYPTO1 scheme via the Nested Attack; evaluation of openings in sub-GHz systems with fixed codes (e.g., CAME 12-bit at 433 MHz) and the limitations posed by rolling-code; USB HID automation with JavaScript scripts capable of exfiltrating information from Windows to an emulated mass-storage device; and availability degradation via BLE Spam through massive advertising, randomized addresses, and the appearance of pop-ups/resets in certain iOS environments—all conducted in controlled auditing scenarios.
This work provides a clear, practical view of what a Flipper Zero can and cannot do in real-world situations. Our methodology is designed to facilitate the replication of experimental results under a controlled and stable configuration. The study provides an example-driven comparative analysis, highlighting the relative effectiveness of different attacks—for instance, when fixed codes are used versus systems with changing codes. We also provide scripts and supporting materials that help measure the impact on a Windows host in a controlled manner. Finally, the paper concludes by presenting straightforward recommendations to improve security and train users.
The literature and public debate underscore the dual nature of these tools (educational/defensive value versus potential for misuse) and their open, dynamic ecosystem [2,3,4,5,6,7].
To assess the real capabilities of the Flipper Zero to compromise (or help protect) common wireless systems through emulation, cloning, scripting, and exhaustion attacks, identifying both risks and effective technical barriers in current deployments.

2. Device Configuration and Initialization

A Flipper Zero with a high-capacity microSD card was used to record readings, dumps, and artifacts, managed with the official desktop and mobile apps and supported by community repositories for maintenance [1,8].
After comparing firmwares, Momentum was selected for its stability, interface improvements, and integrated utilities (e.g., USB image management, JS scripting engine, BLE Spam), avoiding reliance on external components [9]. Initialization included flashing the release version, preparing the microSD card, performing integrity checks, and enabling modules. Enabled profiles and applications are:
  • IR: catalogs of universal remotes and learning (Learn) for emulation.
  • RFID/NFC: reading, writing, and emulation, focusing on MIFARE Classic 1K and attack/editing tools (Nested, Classic Editor, Fuzzer).
  • Sub-GHz: capture/replay of signals, Frequency Analyzer, Read/RAW, and Sub-GHz Bruteforcer to assess fixed codes.
  • USB + scripts: keyboard HID, Mass Storage, and execution of JavaScript (automation/controlled exfiltration on Windows).
  • Bluetooth (BLE): BLE Spam with identifier randomization and different aggressive advertising profiles.
No GPIO accessories (antennas/Wi-Fi boards) were added due to material constraints; their potential impact on range and attack surface was analyzed at a theoretical level.

3. Experimental Evidence and Analysis of the Execution of Communication Protocols

A test battery was designed for each family of protocols, prioritizing common risk scenarios in auditing. The following summarizes the observed behavior, its offensive–defensive applicability, and the limitations identified.
Infrared (IR). Remote emulation/automation was consistent on common equipment. Its direct impact on cybersecurity is limited; however, it can be used for operational disruptions (e.g., power-offs or input changes as a distraction).
RFID/NFC/iButton. With MIFARE Classic 1K, the ease of cloning was evident when the system depends on CRYPTO1: the Nested Attack recovered keys and enabled reading/editing with Classic Editor. The Fuzzer facilitated robustness testing in readers. Although iButton was not validated due to lack of material, cloning/manipulation risks by design are documented.
Sub-GHz. Openings were confirmed in access systems with fixed codes using Sub-GHz Bruteforcer (e.g., CAME 12-bit at 433 MHz), whereas the presence of rolling-code clearly blocked replay/brute-force attacks (Figure 2).
USB and scripts. Keyboard HID emulation and Momentum’s JavaScript engine enabled a payload that launches PowerShell, collects environment variables, IP, Wi-Fi profiles and passwords (via netsh), and dumps them to a disk image mounted as Mass Storage, all in an automated and traceable way.
Bluetooth (BLE). BLE Spam generated high volumes of advertising/requests with randomized MAC addresses and multiple pop-ups (Figure 3); in certain scenarios, iOS showed restarts/modals, affecting availability at short range.
GPIO and extensions. No devboards or external antennas were tested; community evidence suggests that they extend range and attack surface, making them priority lines for future validation.
Overall analysis. The device showed high versatility to emulate, clone, and automate interactions, with clear limits in the presence of rolling-code, well-configured deployments, and the absence of specific accessories. The findings support migrating legacy credentials (e.g., MIFARE Classic → DESFire), hardening wireless configurations, and improving security hygiene.

4. Conclusions

The experimental evidence shows that the Flipper Zero is effective for auditing common wireless systems: cloning/editing MIFARE Classic 1K via Nested Attack; opening systems with fixed codes in sub-GHz; automation/exfiltration in Windows via USB HID+Mass Storage; and availability degradation with BLE Spam. These capabilities coexist with effective barriers (e.g., rolling-code) and with the need for accessories to extend range.
Recommendations for defenders. Replacement of MIFARE Classic with DESFire or options with robust cryptography; systematic use of rolling-code and secure pairing management; surface reduction (e.g., disable BLE visibility when not necessary) and rate-limiting on exposed devices; controls against HID injection and adoption of U2F as a hardware second factor; and targeted awareness and training for non-technical personnel.
As future work, we propose empirical validation of GPIO/Wi-Fi devboards (e.g., Evil Portal, Wi-Fi Marauder), exploration of dedicated sub-GHz antennas, and deeper analysis of dense-interference scenarios, extending range and resilience metrics.

Author Contributions

Conceptualization, F.J.M.-R. and A.J.D.-B.; methodology, F.J.M.-R.; software, F.B.-M. and B.M.R.-G.; validation, F.J.M.-R., M.Á., and B.M.R.-G.; formal analysis, B.M.R.-G.; investigation, A.J.D.-B.; resources, F.B.-M.; writing—original draft preparation, F.J.M.-R.; writing—review and editing, F.J.M.-R., A.J.D.-B., F.B.-M., B.M.R.-G., and M.Á.; supervision, F.J.M.-R.; project administration, F.J.M.-R.; funding acquisition, M.Á. All authors have read and agreed to the published version of the manuscript.

Funding

This research is carried out within the framework of the funds of the Recovery, Transformation and Resilience Plan, financed by the European Union (Next Generation)—National Cybersecurity Institute (INCIBE) in the project C109/23 “Strategic Project UEx (Polytechnic School of Cáceres)—INCIBE”.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The datasets generated and analyzed during this study are not publicly available due to security and ethical considerations, as they could be misused if disclosed. Requests for further information should be directed to the corresponding author.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Flipper Zero Links. Available online: https://cdn.flipperzero.one/flipperzero-links.html (accessed on 20 February 2025).
  2. Cass, S. A Hacker’s Delight > You’ll Either Love or Hate the Flipper Zero. IEEE Spectr. 2023, 60, 18–20. [Google Scholar] [CrossRef]
  3. Mata-Hernandez, R.; Cardenas-Juarez, M.; Simón, J.; Stevens-Navarro, E.; Rizzardi, A. Exploring the Path Loss of a Hacking Tool for Security Matters in the Internet of Things. In Proceedings of the 2023 IEEE International Autumn Meeting on Power, Electronics and Computing (ROPEC), Ixtapa, Mexico, 18–20 October 2023; pp. 1–6. [Google Scholar] [CrossRef]
  4. MonstaTek—Monstatek.com. Available online: https://www.monstatek.com/ (accessed on 20 February 2025).
  5. Flipper Zero Prohibido Por Amazon Por Ser Un ‘Dispositivo de Robo de Tarjetas’—Osint.com.ar—Osint.com.ar. Available online: https://osint.com.ar/flipper-zero-prohibido-por-amazon-por-ser-un-dispositivo-de-robo-de-tarjetas/ (accessed on 20 February 2025).
  6. Pacheco, C. Primer País del Mundo en Prohibir la Venta, Uso e Importación de Flipper Zero—Computerhoy.20minutos.es. Available online: https://computerhoy.20minutos.es/tecnologia/flipper-zero-prohibido-hackers-robar-coches-1364224 (accessed on 20 February 2025).
  7. El robo electrónico que tiene en pánico a Francia y puede llegar a España: Así es Flipper Zero. Available online: https://okdiario.com/curiosidades/robo-electronico-que-tiene-panico-francia-puede-llegar-espana-asi-flipper-zero-14133346 (accessed on 20 February 2025).
  8. MicroSD Card Setup—Flipper Zero—Documentation—Docs.Flipper.Net. Available online: https://docs.flipper.net/basics/sd-card (accessed on 25 February 2025).
  9. Momentum FW for Flipper Zero—Momentum-fw.dev. Available online: https://momentum-fw.dev/ (accessed on 20 February 2025).
Engproc 123 00006 g001
Figure 1. Components of the Flipper Zero.
Figure 1. Components of the Flipper Zero.
Engproc 123 00006 g001
Engproc 123 00006 g002
Figure 2. Sub-GHz tests and limitation due to rolling code.
Figure 2. Sub-GHz tests and limitation due to rolling code.
Engproc 123 00006 g002
Engproc 123 00006 g003
Figure 3. Popup on a Bluetooth device.
Figure 3. Popup on a Bluetooth device.
Engproc 123 00006 g003
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Muñoz-Ruiz, F.J.; Di-Bartolo, A.J.; Broncano-Morgado, F.; Ramírez-Gabardino, B.M.; Ávila, M. Exploring the Real Capabilities of the Flipper Zero. Eng. Proc. 2026, 123, 6. https://doi.org/10.3390/engproc2026123006

AMA Style

Muñoz-Ruiz FJ, Di-Bartolo AJ, Broncano-Morgado F, Ramírez-Gabardino BM, Ávila M. Exploring the Real Capabilities of the Flipper Zero. Engineering Proceedings. 2026; 123(1):6. https://doi.org/10.3390/engproc2026123006

Chicago/Turabian Style

Muñoz-Ruiz, Francisco Javier, Agustín Javier Di-Bartolo, Fernando Broncano-Morgado, Belén M. Ramírez-Gabardino, and Mar Ávila. 2026. "Exploring the Real Capabilities of the Flipper Zero" Engineering Proceedings 123, no. 1: 6. https://doi.org/10.3390/engproc2026123006

APA Style

Muñoz-Ruiz, F. J., Di-Bartolo, A. J., Broncano-Morgado, F., Ramírez-Gabardino, B. M., & Ávila, M. (2026). Exploring the Real Capabilities of the Flipper Zero. Engineering Proceedings, 123(1), 6. https://doi.org/10.3390/engproc2026123006

Article Metrics

Back to TopTop