The Flipper Zero is a portable, open-source multi-tool that can record and replay RF signals across Bluetooth Low Energy, sub-GHz, and infrared. It does not introduce new attack techniques. It lowers the barrier to executing existing wireless attacks, making them more accessible, repeatable, and scalable. While it serves legitimate educational and penetration-testing purposes, its polished interface effectively democratizes wireless attack tooling and exposes the enterprise RF blind spot.
Quick facts
| What it is | An open-source, customizable handheld device that records and replays RF signals. |
| Protocols supported | Bluetooth Low Energy (BLE), sub-GHz on common ISM bands (315, 433, 868, 915 MHz), and infrared. An optional Wi-Fi development board adds 2.4 GHz. |
| Primary attack types | Sub-GHz capture and replay, BLE spam and pairing-prompt abuse, rolling-code and key fob interaction, and Wi-Fi deauthentication via add-on. |
| Systems at risk | Access control systems, smart sockets and bulbs, IoT sensors and doorbells, and legacy facility automation using static or unencrypted signals. |
| How to detect it | Continuous passive RF monitoring across the full spectrum (Bastille covers 100 MHz to 6 GHz, with Wi-Fi to 7.125 GHz) to identify and localize any transmitting device. |
This information is provided for general awareness and defense purposes only. It is not intended to be a complete description of the functionality or risks of the identified tools.
What is the Flipper Zero?
The Flipper Zero is a device capable of recording and replaying RF signals. Completely open source and customizable, it can be adapted for a range of use cases. Sold as a development and penetration-testing tool, this device has a range of hacking capabilities. Just as there is a rise in personal digital devices, so too is there a rise in the digitization of access controls and similar systems, and the Flipper Zero has significant potential against access control, IoT, and other smart or radio systems through impersonation attacks or unauthorized access.
How does it work?
The Flipper Zero is equipped with a customizable radio platform that enables it to interact with a range of radio-based systems, including:
- Access control systems
- Smart sockets and bulbs
- IoT sensors and doorbells
For more detailed information, see the Flipper Zero site. These are not the only use cases. There was also a case of a Denial of Service attack executed on an Apple iPhone, which CTO Dr. Brett Walkenhorst details in the short video clip below.
What makes the Flipper Zero different
Traditional wireless testing tools require deep technical expertise, complex configuration, and fragmented workflows. The Flipper Zero simplifies this model by combining multiple wireless capabilities into a single, portable device with a polished user experience.
Users can install firmware, launch attacks, and interact with wireless protocols through intuitive menus rather than command-line interfaces. This ease of use changes the threat landscape. It allows more individuals to execute wireless attacks, increases the speed and repeatability of those attacks, and enables rapid expansion of capabilities through an active open-source ecosystem.
Core wireless capabilities
The Flipper Zero operates across several wireless technologies commonly used in enterprise and consumer environments. It supports Bluetooth Low Energy, sub-GHz communications across common ISM bands such as 315, 433, 868, and 915 MHz, and infrared. It also supports hardware extensions, including a Wi-Fi development board that expands functionality into 2.4 GHz networks.
This multi-protocol design allows a single device to interact with building automation systems, IoT devices, and consumer electronics. The convergence of these capabilities increases risk by enabling interaction across multiple wireless domains from a single platform.
Watch the briefing
The following short briefing explains how the Flipper Zero democratizes wireless attack tooling across Bluetooth, sub-GHz, and infrared, and why unmonitored legacy protocols are exploited in plain sight.
Sub-GHz signal capture and replay
The Flipper Zero can identify a frequency, capture a transmission, and retransmit it within seconds. This capability allows it to mimic legitimate devices and trigger actions in systems that rely on static or predictable signals, such as lighting systems, fans, and other IoT devices.
Many enterprise and facility systems still rely on these weaker implementations, making them vulnerable to replay-based interactions.
Bluetooth Low Energy (BLE) abuse
The device can generate Bluetooth Low Energy traffic that mimics legitimate devices, triggering repeated pairing prompts or proximity-based notifications. These attacks disrupt usability, create persistent distractions, and in some cases cause instability in vulnerable or poorly implemented systems.
They can also interfere with Bluetooth-dependent technologies, including medical and industrial devices, particularly when high traffic volumes are present.
Rolling code and key fob interactions
The Flipper Zero can interact with sub-GHz key fob systems used in vehicles and access controls. It supports replay attacks against static-code systems and can capture rolling-code sequences under specific conditions that require timing, proximity, or additional techniques.
While the device does not enable full vehicle compromise, it can interfere with wireless entry systems in environments where protections are weak or improperly implemented.
Wireless disruption via Wi-Fi add-ons
With an optional Wi-Fi module, the device can perform deauthentication attacks on 2.4 GHz networks. These attacks force devices off a network and disrupt connectivity in environments that do not enforce the use of protected management frames.
Because many IoT and operational systems rely on 2.4 GHz connectivity, this remains a relevant and practical threat vector.
Why enterprises should take this seriously
The Flipper Zero highlights a broader issue rather than introducing new vulnerabilities. Many organizations lack visibility into the wireless environment and maintain blind spots across Bluetooth, sub-GHz, and other non-Wi-Fi protocols.
Security programs often focus on networks and endpoints while overlooking the RF spectrum. At the same time, organizations continue to rely on legacy wireless systems that use weak or unencrypted protocols. Combined with the growing accessibility of offensive tools, these gaps create opportunities for unauthorized activity.
How can I uncover a Flipper Zero?
With robust wireless monitoring, you will be able to see any device transmitting in your space. Additionally, if you have an integration between your wireless and physical monitoring systems, you gain an added layer of visibility that would help you address a breach actioned via Flipper Zero.
What can I do to defend against this threat?
Bastille recommends a few security best practices for this type of threat:
- Keep your systems up to date: Keeping all systems up to date, such as your access control systems or your IoT tech, will help ensure your systems are running on the latest security.
- Update and enforce your security policy: Establish and educate upon a corporate policy for all employees regarding these types of devices to help keep your space secure.
- Stay up to date: The landscape of wireless security is constantly evolving. In order to defend against these threats, you need to know what is out there. Check out our recent webinar on Wi-Fi Vulnerabilities in which CTO Dr. Brett Walkenhorst dives into the Wi-Fi protocol, the Wi-Fi Pineapple, and other related hacker devices.
How Bastille addresses this threat
Bastille provides continuous visibility into the wireless environment through 100% passive monitoring of the RF spectrum. This approach allows security teams to detect unauthorized Bluetooth activity, sub-GHz transmissions, and anomalous wireless behavior in real time.
Unlike traditional tools that focus only on Wi-Fi networks, Bastille provides visibility across multiple wireless protocols that devices like the Flipper Zero actively exploit. Its coverage spans 100 MHz to 6 GHz, with Wi-Fi coverage extending to 7.125 GHz, aligning with the frequencies used by these devices. Bastille applies patented algorithms and analysis to localize the source of wireless activity, enabling security teams to investigate and respond quickly.
The catalyst
RF attacks shift from niche, fragmented hardware to portable, highly accessible consumer devices that anyone can operate.
The reality
No new vulnerabilities are created. Unmonitored legacy wireless protocols such as sub-GHz and BLE are exploited in plain sight.
The imperative
Enterprise security must expand beyond traditional networks and endpoints to actively monitor the physical RF airspace.
Key takeaways
Wireless threats extend beyond Wi-Fi, with Bluetooth, sub-GHz, and infrared technologies presenting viable attack surfaces. The Flipper Zero demonstrates how easily adversaries can execute these techniques, increasing both intentional and accidental risk.
The critical issue for organizations is visibility. Without insight into the wireless environment, security teams cannot detect or respond to these threats effectively. As wireless technologies continue to expand, monitoring the RF spectrum becomes essential to maintaining a comprehensive security posture.