In short: The Pinball Zero may look like a harmless children’s toy from the 90s, but it can do much more. The Tamagotchi-like device has been used for everything from opening parking gates and manipulating fast-food menus to reading credit card information through a person’s wallet and pants. Unfortunately for pinball, this scanning ability has received a ban from Amazon, which now considers it a policy-violating card-skimming device.
The device allows users to locate, troubleshoot, test, and debug various types of digital interfaces and hardware devices over radio, radio frequency identification (RFID), near field communication (NFC), infrared, Bluetooth, and other protocols. While these options are not inherently dangerous, many see the ability to emulate multiple devices, cards, or interfaces as one of pinball’s numerous security threats.
The ability to read and emulate NFC data means that cards or devices that are nearby and are transmitting on the 13.56MHz band can be read and possibly (where possible) emulated without the owner’s knowledge can.
Based on this capability, Amazon sees the Flipper Zero’s NFC capabilities as a potential security risk, as many debit and credit cards that offer contactless transactions use NFC communication. The feature qualifies the Flipper Zero as a restricted card skimming device in the Lock Picking & Theft Devices product category from Amazon sellers.
The Flipper Zero project was funded by a Kickstarter campaign in 2020. Specification highlights include:
32-bit ARM Cortex-M4 processor + Cortex-M0+ 32MHz (network) 1MB Flash memory and 192KB SRAM 1.4-inch 128×64 LCD monochrome display, 5-button joystick with back button 2000 mAh battery NFC and infrared RFID reader and writer, GPIO pins iButton reader and writer USB 2.0 connector, type C
Despite this ability to read and emulate NFC data, it is currently impossible for a user to actually clone all the required meaningful data from an unsuspecting victim’s credit card. While the pinball machine is able to read all of the unencrypted NFC data present on the card, it lacks the ability to read the additional encrypted data required to complete a transaction. Based on this, it is not (currently) possible for the Pinball Zero to 100% emulate a bank or credit card that uses NFC.
In a previous interview with Wired, Pinball Zero co-creator Alex Kulagin defended the device, stating that it was intended for educational purposes and for hobbyists’ entertainment. “We want to help you understand something deeply, explore how it works, and explore the wireless world that’s all around you but difficult to understand,” Kulagin said.
Since the ban, Amazon has instructed sellers to remove or delete any listings related to the Pinball Zero or other restricted products. Sellers who fail to respond to the request within 48 hours of receiving their warning will face possible termination of the seller’s account and their funds may be permanently withheld.
While there’s no shortage of YouTube videos and other articles focusing on the pinball’s “more colorful” uses, the truth is that it was never originally designed with chaos in mind.
The multi-antenna device is designed to assist security and other technical professionals in penetration testing, debugging, and other tasks aimed at making products or services more stable and secure. But like any device, it’s only as good or bad as the person using it. According to Kulagain, “It’s not Flipper’s fault. There are bad people out there, and they can do bad things with any computer. We have no intention of breaking any laws.”
