The Brazilian National Telecommunications Agency is seizing incoming Flipper Zero purchases due to its alleged use in criminal activity, with purchasers stating that the government agency has rejected all attempts to certify the equipment.
Flipper Zero is a portable multi-function cybersecurity tool that allows pentesters and hacking enthusiasts to tinker with a wide range of hardware by supporting RFID emulation, digital access key cloning, radio communications, NFC, infrared, Bluetooth, and more.
Since it was released, security researchers have demonstrated Flipper Zero's features on social media, showing how it can trigger doorbells, perform replay attacks to open garage doors and unlock cars, and be used as a digital key.
Brazil requiring certification
Multiple people in Brazil who purchased the Flipper Zero hacking tool have reported that their shipments are being redirected to Brazil's telecommunications agency, Anatel, due to a lack of certification with the country's Radio Frequencies department.
This type of seizure is usually associated with compliance with the country's electronic and telecommunications standards for devices emitting radio signals.
Because Flipper Devices INC is not certified in Brazil according to this standard, it's not allowed to circulate freely in the Brazilian market.
Source: Reddit
However, as the Electronic Frontier Foundation (EFF) explains in a recent report and from emails seen by BleepingComputer, the Anatel agency has flagged the device as a tool used for criminal purposes, making its clearance complicated and preventing it from reaching its final destination.
Flipper Zero has gained a reputation from users who showcased its hacking capabilities on social media to perform illegal activities such as unlocking cars, changing gas pump prices, intercepting and storing remote control signals, opening garage doors, and more.
Although the device does not use hardware that is illegal or impossible to find elsewhere, its market success fueled a wave of negative media attention that portrayed it as a risk to society.
The unexpected interceptions of the $169 portable multi-functional tool created for pen-testers and hacking enthusiasts began at the start of the year and are still ensuing.
Buyers from Brazil have been exchanging advice on Reddit in the past couple of months, trying to get their items cleared by Anatel.
A user has posted analytical instructions on applying to Anatel for a personal homologation certificate for Flipper Zero, which should make it usable by the buyer, albeit preventing resells to others in Brazil.
However, many buyers report that the agency has rejected this certification procedure because Flipper Zero is allegedly being used to facilitate crime.
"Anatel's certification area informs that the equipment called FLIPPER ZERO has been used in the country by malicious users in facilitating a crime or criminal misdemeanor and, as provided for in item II of Art. 60 of the Regulation for Conformity Assessment and Homologation of Telecommunications Products (annex to Resolution No. 715, of October 23, 2019), Anatel has rejected all homologation requests for the product in question, in order to collaborate in the protection of Brazilian citizens against criminal actions," reads a letter received by Flipper Zero customers in Brazil.
Anatel concludes the message by saying that the item will be sent back to the post office with the suggestion to return it to the sender.
(HiroshiSakamoto1)
EFF argues that the Brazilian authorities outright banning Flipper Zero in the country will limit the security researchers' access to powerful portable cybersecurity tools, harming their work and negatively impacting the field.
"The Flipper Zero has clear uses: penetration testing to facilitate hardening of a home network or organizational infrastructure, hardware research, security research, protocol development, use by radio hobbyists, and many more," argues EFF.
"The creation, possession or distribution of tools related to security research should not be criminalized or otherwise restricted."
Those who purchased the devices from Joomf and have had their Flipper Zero seized have been told they would be reimbursed.
BleepingComputer has requested comment on the above from Anatel and FlipperZero, but we have not heard back by publication time.
Comments
XSp - 1 year ago
Agreed with the EFF on this one.
The core issue here is pretty simple - people buying a few units to be delivered via mail like this are in the vast majority just pen testers, people trying to understand how this works better, and hobbyists in general.
The product gets registered in the person's name and postal service plus customs have a record on this, it makes no sense for criminals to purchase those in that manner.
So, what a prohibition like this effectively does is block access for people trying to combat or just play with the device, or use it in legitimate scenarios, while it lets all the criminals who will get this thing via black and grey markets still go with it.
Shipments coming from other countries that don't pass the same scrutiny that individual mail does, contraband from neighboring countries, among a few others are the routes people who intend to use this for criminal activity will chose.
Though arguably, criminals won't get their hands in stuff like this at all, other than very few sophisticated groups... even though it's pretty cheap for international standards, it's still too pricey and sophisticated for common criminals thinking of stealing cars, open garage doors and whatnot. Same ol' thing - doesn't matter if you have a fancy lock, criminals will just bust the windows and enter that way instead.
So obviously, it's a net positive if people in the security community is trying to get their hands in one of those to find ways to stop it. Electronic devices security is already as poor as it can be here, trying to block things like that from coming here just worsens the situation.
But you know, this is exactly the sort of empty reactionary short sighted uninformed decision that we Brazilians have come to expect from authorities and politicians.
Someone up likely read, heard of or watched a story about this, and just decided to ban the thing outright.
I'll tell you something else on this topic - you can still buy a whole host of separate devices that do the same thing as Flipper Zero on stores like Alibaba and get it delivered at home here. Replay attack devices, RFID cloning, etc. I have toyed with some of those myself.
Funny enough, Flipper Zero might be a victim of it's own marketability.
If it was just like an ugly devboard thing that looked a bit janky, I doubt it would've come to this.
kathkimmy - 1 year ago
Brazil is seizing shipments of Flipper Zero, a $200 portable security penetration testing tool for IoT devices, due to its alleged. Curious why they are focusing on this gadget when every hacking function in it has a related item for sale.
h_b_s - 1 year ago
" Brazil is seizing shipments of Flipper Zero, a $200 portable security penetration testing tool for IoT devices, due to its alleged. Curious why they are focusing on this gadget when every hacking function in it has a related item for sale."
As the article mentioned, it got some publicity that made it more visible to the Powers That Be.
Brazil appears to be making the case that they believe the Flipper's primary use case is to break the law regardless of how it's marketed (no one with half a brain ever believes "for educational use only" disclaimers anyway), therefore it's illegal to own one regardless of intent. Similar reasoning is used to outlaw radio frequency jammers in the US, or lock picks in many local US jurisdictions.
Just because it's a single product and they're overlooking other devices is irrelevant. That's like saying US Customs should give up confiscating knock off Gucci from Chinese counterfeiters because knock off Nikes are still making it through from India. It's a spurious argument.
XSp - 1 year ago
...only your argument is a false equivalence fallacy.
The product in question is not a knock off product nor is breaking any law by itself. It's a repackaged Raspberry Pi Zero W with software in it and a cute case on top, with adequate sensors for pen testing in a portable format for convenience, just that. The software is open source, and you can put it together with off the shelf parts.
You want a closer equivalent to this ban, it'd be like banning laptops that came with Kali Linux pre-installed. It's a stupid and premeditated decision.
Radio frequency jammers are a problem mostly because it can interfere with emergency channels, FCC enacted specific law to address it. This product does not fall into that classification, it doesn't have that capability.
Lockpicks are legal in the absolute vast majority of states in the US, there are a handful of states that their status is considered ambiguous, meaning you can be arrested with them if there is also an intent to commit crimes with them, and just a couple where it's more stringent that you can be arrested when carrying them concealed, and the burden of proof lies on you that you did not intent to commit crimes with them.
The understanding from whoever decided to ban this is not only ill informed and alarmist, it's also damaging for people trying to devise methods to secure against the attacks a pen testing device like this one covers. And if you think "for educational use only" is something that only someone with half a brain believes, you simply don't understand what that disclaimer is for, nor you understand how security works.
Also, in this particular case, like I have already explained, it is indeed relevant that they overlook other products while blocking this one... because it's blocking access from pen testers, white hat hackers and security researchers to the product, while not being effective to stop criminals from getting it and a host of other products similar to it. It's a bad attempt at security through obscurity.
This device wasn't made for or with criminals in mind, it was made for pen testers, something that was made perfectly clear in their ads btw. It's pretty obvious to me looking at their page that people outside the security community will have no idea what they are looking at.
It's a convenient product to have for people in security jobs to test how strong are security practices in a given business, company, organization and whatnot, and it can be used to detect flaws in security for a range of different types of attack. If you don't know where criminals could be coming from, you cannot protect yourself from it - that's the base idea.
ctigga - 1 year ago
It always boils down to the same thing:
*Any* tool can be used for good or for bad.
A USER of the tool decides how they will use a tool.
Prosecute unlawful use and don't block legal use.
A USER with criminal intent doesn't care about legal use to begin with, so restrictions like these only serve to impede the legal user.
We all know how well gun free zones, drunk driving laws, car theft laws, etc., etc., etc. work to save us from criminal behavior.
FlipFlopper - 1 year ago
I wish I had the energy for any of that. My Flipper Zero's sat here being a very miserable, under-utilised, glorified Tamagotchi. With a handful of cloned Amiibos and transit cards in its memory.