If there’s one thing to say about the $169 Flipper Zero, it’s that it’s really damn cute. When the Flipper is idling, the cyber dolphin that appears in all the apps and product materials as the device’s mascot can be found lounging around, making sly references to older movies. Sometimes, they record a dancing praying mantis or swimming in the ocean. The little dolphin cries elephant tears whenever you try to turn off your thumb-sized hacking and pentesting tool. My little dolphin’s name is Miakal. It is a unique ID that the device-makers give to every Flipper to Tomogotchi-ify the device and also make it more identifiable for the company and-—potentially—law enforcement.
The company released its new Video Game Module earlier this month, which did two things. One, it set a new wave of speculation for what they could get Flipper’s thumb-sized doohickey to do with DVI-D input and a Raspberry Pi chip. Two, it kept that same old conversation surrounding whether the Flipper Zero was a hacking tool, allowing even the most technologically illiterate to get up to all sorts of mischief. It’s not illegal, but Amazon has banned device sales, and Canada also seems poised to ban the Flipper.
After using the radio frequency leatherman-like tool with its new module for about two weeks, I’ve understood that the antagonistic sentiment toward the device has been blown excessively out of proportion. If Flipper should be known for innovation, it should be in terms of form rather than function. The Flipper Zero is smart because it packs so much capability inside a device that slips easily into your pocket. The Video Game Controller is an example of how modular the Flipper designers first made the original pentesting tool. It’s an example of how the UK-based company thinks about its hardware ecosystem— as more of a developer playground than a hacker’s haven.
The Video Game Module itself is a $50 add-on to the Flipper that could act as a stand-alone development platform but is best paired with the Zero for full functionality. It means you can cast your flipper screen to a monitor or TV, plus the built-in gyroscope should allow for Wii remote-like motion-based controls (emphasis on should). With a few more GPIO pins, the module could act as another standard development platform for people to explore the use of the Flipper with the added power of what’s essentially the same chip as the Raspberry Pi Pico.
Ignore the attention-chasing TikToks and fake YouTube videos because the Flipper is not turning every average miscreant with an internet connection into Mr. Robot. At best, the Flipper can teach you a fair bit about the different types of signals most commonly used in consumer products while making it clear just how awful the most common device and building security is today.
What Can the Video Game Module Do?
The $49 Video Game module is still nascent, and if you’re not connecting external boards or writing code for new apps, you may find there are currently a few applications for the extra Flipper module. Ostensibly, it harvests the capabilities of one of the most popular Raspberry Pi chips equivalent to a Pi Pico.
For now, we haven’t seen too many apps extensively use the new device, save for a few that use the motion controls. Those apps available on the official Flipper Labs app store include games like Air Arkanoid that use the gyroscope. You can also connect the Flipper by USB-C or Bluetooth and use the Flipper as an air mouse for controlling your PC or other device. This is not perfect, nor very one-to-one. Playing games with the motion controls is a struggle with seemingly spotty sensitivity. Using the device as an air mouse is more of a novelty, as even over Bluetooth, trying to perform any precise clicks is finicky.
However, with the Raspberry Pi chip inside the VGM, there’ll likely be a few unexpected functions for the new add-on. With the GPIO ports on the controller, you can install some extra firmware and run a few wires into an oscilloscope device to comprehend different waveforms, as demonstrated by YouTuber Derek Jamison.
As expected, the Flipper community is already plugging away, testing different ways they can push the hardware of the new module by itself and how it can interact with the Flipper Zero.
The other major function of the new add-on is its DVI-D port that can connect to either TVs or monitors through your regular HDMI cable (the company told Gizmodo it didn’t officially name the port “HDMI” due to copyright issues). The Flipper screen is extra big in 640х480 resolution at a base of 60 Hz. Very little quality is lost between the regular Flipper screen and how it looks on a far bigger monitor. I tested it on several displays of varying sizes, and the flipper filled up the screen with practically no discernible input lag. However, this won’t connect audio to the monitor, so you’ll still hear all the small, chiptune-like sounds from the Flipper device.
The module connects via 16 pins to the GPIO ports on top of the Flipper Zero. There’s no latch to make sure the pins stay secure. The module would fall off the main device when it was in my backpack or coat pocket. I was constantly concerned that the exposed pins might get bent or damaged. What would help is if the module came with some sort of cover, but as of now, there’s nothing available save for what you could potentially build yourself.
So it’s not perfect, and in its current form, it’s limited by a lack of apps for those who aren’t the types to shove wires into their Zero. In a recent interview, Flipper co-founder and COO Alex Kulagin told Gizmodo that the VGM doesn’t let you suddenly blast your screen wirelessly to a separate TV. No, you won’t be able to take over Times Square with photos of your cat. Maybe with extra resources and some ingenuity, the hacker types will find new penetration capabilities. Still, for now, it’s a rather simple add-on that’s more useful for developers than laypeople.
Kulagin told us the company plans on making even more modules that similarly attach to the Flipper. The company may want to invest in a few ways to protect its hardware or help it stay attached once you start swapping out different modules. As long as it’s still on the market, the Flipper team hopes other developers and device makers start making compatible modules for the hacker’s Tamagotchi. In the four years since the first Kickstarter, DIYers have developed some add-ons, such as a range extender.
What is the Flipper Good For?
The Flipper has gained notoriety thanks to a wave of TikToks and other bogus media blasting claims they can use the Flipper to unlock any modern car or that it can clone a credit card. The Flipper can scan the identity information of a credit card’s NFC signal and the sub-Ghz signal from a key fob. However, the Flipper can’t copy the security code on cards or unlock a car door since the latter uses rolling codes that change after every use. Unless some hacker finds a vulnerability inside a car fob that lets them bypass rolling codes, Flippers aren’t going to facilitate carjackings any time soon, despite what certain Canadian politicians may warn against.
For example, the Flipper can copy signals from the 2024 Hyundai Elantra’s key fob on its Sub-Ghz frequency (which I had to record manually on the correct frequency), but playing it back won’t actually unlock the car. As Kugalin had previously emphasized to me and others, unlock a car just because you’re playing one instance of the signal.
Over the past few years, Hyundai and fellow carmaker Kia were forced to deal with a wave of thefts for some of their 2013 through 2022 car models. The companies issued updates to their earlier model vehicles to try and prevent these thefts. However, it’s not like Flippers were involved in these thefts since the carjackers abused the vehicles’ lack of ignition immobilizers with a simple screwdriver and USB connector.
Speaking of cars, a Flipper can unlock some parts of Tesla cars, such as their charging ports, with a duplicated NFC signal. Other than trolling the average Tesla owner, this isn’t necessarily causing widespread societal disruption. It’s one of those odd design choices from Tesla that’s compromised security for convenience.
Are there other nefarious uses for a Flipper? Of course. The Flipper can interact with infrared—or IR—signals, which means you can operate most TVs, projectors, and air conditioners by copying the remote or just pointing it at the screen and hitting the power button. If you want to be a nuisance to your local Best Buy, you can, depending on the TV model. If I ever lose that, it can copy my air conditioner remote. But by default, the harms are emulated by a range of tech that existed before the Zero’s debut in 2020.
The Flipper’s biggest claim to fame is its ability to scan and emulate NFC, sub-Ghz RFID, and infrared signals to become a kind of radio multi-tool. Can it scan and emulate your work ID to access a building? Yes, it absolutely can, for better or worse. Does this present security issues for offices, warehouses, or far more sensitive locations? Oh, you bet, but it also belies the obvious point that tech to scan and replicate sub-Ghz RFID has been around for years. Companies still rely on this overtly problematic RFID security technology to know about this issue. Yet, both new and old companies use it simply because it’s less expensive to implement than other security tech.
Now, can it copy debit cards? Yes and no. The Flipper can read NFC signals, including your bank card, but that doesn’t mean people can immediately hack into your account. In this case, it won’t read the security codes, which are the CVC numbers, so it can’t imply it’s a debit card on your average machine. Is it still rotten to know your card details are still available? For sure. Again, this security vulnerability has existed since the dawn of debit cards.
Suppose you stick to Flipper Zero’s baseline with the default firmware and only stick to apps you can get from the curated selection on Flipper’s site. In that case, it is not nearly as dangerous of a device as those fake viral videos try to imply. The Flipper app store is filled with slightly gimmicky games and tools that don’t necessarily do much harm.
However, the Flipper is an open-source device, so a range of different firmware already expands the capabilities and potential harms of the Flipper. Roguemaster firmware includes the ability to brute force pins to unlock phones through the Bad USB app. The Xtreme firmware suite opens a multitude of apps that wouldn’t be allowed on Flipper’s app store, such as one that proved effective at shutting down iPhones with a DOS attack before Apple eventually patched that hole.
The Flipper Zero is a Unique Device for the Amateur Pentester, Not a Magic Wand
Should you buy a Flipper Zero, let alone the Video Game Module? Well, if you’re not the kind of person who’s interested in exploring radio signals but you’re looking to get all your work cards and remotes on one device, it does the trick. The fact that it’s just such a cute device is icing on the cake.
Otherwise, it’s best to describe the Flipper as an RF leatherman. It does a lot to read, store, and reproduce different signal types, but it won’t do everything as well as purpose-built devices. It’s a great educational device to learn about the different types of signals and how they’re used in common security capacities—though more so, how they’re easily abused. If you’re a developer, then you probably already know the use cases for such a small doohickey, and the best I can tell you is it works as described, save for a few issues I have with the gyroscope and loose connection between the module and GPIO ports.
As far as its problematic nature, there’s no denying hacker types are finding new ways to abuse common signals with the device, but it’s not flipping the world on its head. Let’s call a spade a spade here. The Flipper Zero makes clear the long-existing vulnerabilities with our signal technology.
Many people are making up ghost stories about the army of pseudo-hackers breaking the world open like a fragile egg. Flipper’s only crime is making it clear how cheap other companies have been as they keep using it and how they would be better off strengthening their systems than complaining about the sub-$200 that can easily break them.