You may have heard of the Flipper Zero. It’s marketed as a “Portable Multi-tool Device for Geeks”—a programmable portable device packed with hardware that facilitates wireless penetration testing and hacking on the go. The device, which greets its owner with an adorable cyber-dolphin on its monochrome 128x64 pixel screen, is facing problems in Brazil: despite products with similar features being available to Brazilians, the national telecoms regulator Anatel has flagged the Flipper Zero as a device that serves illicit purposes, or facilitates a crime or misdemeanor. As with other radio frequency emitting devices, when the Flipper Zero is shipped to the country, the national post office intercepts and redirects the device to Anatel for certification. Anatel then decided not to certify the equipment, and seize it as a result—not allowing the Flipper Zero to proceed to its final destination.

Maciej Łutczyk, CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0), via Wikimedia Commons

The device itself doesn’t introduce any fundamentally new technologies. All of the hardware—the infrared transceiver, RFID reader/emulator, SDR and Bluetooth LE capabilities—are available in other, perhaps more specialized products. What is novel about the Flipper Zero is its form factor and interface, which make it portable and easy to use in the field. 

The Flipper Zero has been called a hacking multi-tool. And like a physical multi-tool, there are no doubt uses of it which would facilitate committing a crime. But also like a physical multi-tool, this is no justification for banning access to the device wholesale. Laws are already in place which criminalize acts of malicious hacking. Banning trade tools will only make security systems more vulnerable by limiting the access of those working to secure these systems. The malicious hacking that concerns Anatel and that Flipper Zero would allow is dependent on systems' vulnerabilities—those are the actual problems that deserve a fix. But we can only patch security flaws once we know they exist, and that's what security research is for.

The Flipper Zero has clear uses: penetration testing to facilitate hardening of a home network or organizational infrastructure, hardware research, security research, protocol development, use by radio hobbyists, and many more. But it is likely its unique UX design that has gained the product its notoriety and garnered it media attention—the latter of which has partially contributed to a negative portrayal of its capabilities as “trouble waiting to happen and a whole lot more.”

It is this notoriety and portrayal that has Anatel focused on it as an illicit device while other hardware remains available in the country. Despite the legitimate uses of a Flipper Zero, Anatel has chosen to focus on the possibility of illegal usage of the device. Banning the device outright will result in tangible harms. Professionals will have access to tools of their trade arbitrarily limited, and (contrary to the stated goal of Anatel) may be unable to develop techniques to mitigate the potential harms done by malicious hackers with the same devices.

The creation, possession or distribution of tools related to security research should not be criminalized or otherwise restricted. As we have explained, drawing on rights recognized by the American Convention on Human Rights, cybersecurity tools are crucial to the practice of defensive security and have legitimate uses, such as identifying and testing practical vulnerabilities. Coding is a protected expressive activity and the use of computer code to examine computer systems and find security flaws is an essential step to get them patched and improve privacy and security for us all.

Denying certification to Flipper Zero doesn't prevent the use of other tools to exploit the same vulnerabilities, as it doesn't stop people from bringing a Flipper Zero from abroad in their bag without having to ship it through the Brazilian border. While Brazilian law forbids the use of radio frequency emitting devices that don't have Anatel's certification, such illegality would hardly deter a malicious hacker. Those with malicious intent would find ways to use the device without having to leave a paper trail. The agency's actions hamper those engaged in security research. We call on the Brazilian authorities to reconsider their decision and allow access to technical trade tools, including the Flipper Zero.

Related Issues