Quiz 01T — Flipper Zero Legal Liability | LawZeee — Know Your Cyber Laws Before You Break It

Question 1

Under 47 U.S.C. § 333, a security researcher uses the Flipper Zero's Unleashed firmware to execute a RollJam attack against a client's vehicle during an authorized physical pentest. The vehicle owner signed the scope letter. Which statement is most accurate regarding FCC liability?

AThe researcher is fully protected because the vehicle owner provided written authorization covering the attack.BThe researcher faces § 333 liability for the jamming phase regardless of client authorization, because the FCC statute contains no private-authorization exception.CThe researcher is protected because the FCC jamming prohibition only applies to licensed radio transmitters, not hobbyist devices.DThe researcher is protected because the FCC's Part 15 classification of the CC1101 transceiver exempts it from § 333.

Question 2

A Flipper Zero user captures and replays a neighbor's fixed-code garage door signal to demonstrate the vulnerability exists. The neighbor did not consent. Under Van Buren v. United States (2021), what is the most accurate CFAA analysis?

AVan Buren protects the researcher because the garage door receiver had no authentication gate — the signal was technically accessible.BVan Buren's "gates up or down" test applies to the "exceeds authorized access" prong only; the researcher is on the "without authorization" prong, so Van Buren provides no protection.CVan Buren eliminates CFAA liability entirely when no password or login prompt blocks access.DVan Buren protects the researcher because the Sub-GHz signal was captured from public airspace, which is an open technical gate.

Question 3

A researcher's Flipper Zero SD card contains cloned credential data from 18 different RFID access badges collected during a building walkthrough — none of the badge holders consented. Which federal statute is most directly triggered by possession alone?

A18 U.S.C. § 1030(a)(2) — unauthorized access to obtain informationB18 U.S.C. § 1029(a)(3) — possession of 15 or more unauthorized access devicesC18 U.S.C. § 1028A — aggravated identity theftD47 U.S.C. § 333 — malicious radio interference

Question 4

During a red team engagement, a researcher plugs a Flipper Zero running a Ducky Script payload into a workstation. The scope letter says "network penetration test" but does not mention physical access or HID injection. The payload executes, opens PowerShell, and exfiltrates credentials to a remote server. Which of the following charges is most likely, and why?

ANo CFAA violation — the scope letter authorizes testing the network, which includes the endpoints connected to it.BCFAA § 1030(a)(5)(A) — knowing transmission of code causing intentional damage, because the scope letter's silence on HID injection means the endpoint was not authorized for that attack vector.COnly FCC § 333 — the USB HID emulation is a radio-frequency transmission requiring license.DOnly 18 U.S.C. § 1343 wire fraud — the CFAA does not cover USB-mediated access.

Question 5

A BadUSB payload executed during an unauthorized intrusion runs a PowerShell keylogger that captures one set of domain administrator credentials. Under 18 U.S.C. § 1028A, what sentencing consequence follows if the defendant is convicted of the predicate CFAA felony?

AAn optional 1-year enhancement at the judge's discretion, which may run concurrently.BA mandatory 2-year consecutive sentence that cannot be suspended, run concurrently, or reduced below 2 years.CA mandatory 5-year sentence if the credentials belonged to a financial institution employee.DNo additional penalty — § 1028A applies only to physical identity documents, not electronic credentials.

Question 6

A Flipper Zero IR blaster is aimed at a nurse call station in a hospital during a physical security assessment. The scope letter covers the physical facility but does not list medical devices. The IR signal causes the nurse call system — which has network connectivity — to reboot and become unavailable for 20 minutes. What is the maximum sentencing ceiling that could apply?

A5 years — the standard § 1030(a)(5)(C) penalty for unauthorized access causing damage.B10 years — the standard § 1030(a)(5)(A) penalty for intentional damage.C20 years — the § 1030(c)(4)(B) critical infrastructure sentencing enhancement applies to computers used in healthcare delivery.DLife imprisonment — any hospital equipment incident automatically triggers the maximum enhancement.

Question 7

A researcher using Flipper Unleashed firmware broadcasts BLE advertisement spam in a crowded conference hall. Several attendees' iOS devices experience repeated popup floods; two Bluetooth stacks lock up entirely, requiring device restarts. Which CFAA provision is most applicable to the locked-up devices?

A§ 1030(a)(2) — obtaining information from a protected computer without authorization.B§ 1030(a)(5)(C) — intentional unauthorized access causing damage and loss, where the Bluetooth stack lockup constitutes impairment to device availability.C§ 1030(a)(5)(A) — only if the researcher intended to damage the devices, which requires specific subjective intent.DNo CFAA violation — BLE advertising is public spectrum and attendees at a public conference have no protected expectation of device availability.

Question 8

The DOJ 2022 CFAA Charging Policy states that good-faith security research should not be charged. A Flipper Zero researcher relies on this policy as a defense after being charged for replaying a signal against a corporate gate without authorization. What is the most accurate legal assessment?

AThe policy operates as a statutory safe harbor and the charge must be dismissed if the researcher demonstrates good faith.BThe policy is prosecutorial guidance only — it cannot be raised as a courtroom defense, and a prosecutor who charges despite the policy commits no legal error.CThe policy applies to all federal and state CFAA-equivalent charges, barring prosecution in California and Texas as well.DThe policy creates a rebuttable presumption of good faith that shifts the burden to the government to prove malicious intent.

Question 9

A Flipper Zero user captures 22 EMV contactless card readings from unsuspecting passengers on a subway. No transactions are initiated. Under 18 U.S.C. § 1029, which provision is triggered by the Flipper's write-capable NFC hardware, separate from the possession count?

A§ 1029(a)(2) — use of an unauthorized access device to obtain things of value.B§ 1029(a)(4) — possession of device-making equipment, triggered by the Flipper's NFC write capability regardless of whether writing actually occurred.C§ 1029(a)(1) — trafficking in counterfeit access devices.D§ 1029(a)(6) — solicitation of another to engage in access device fraud.

Question 10

United States v. Salinas (D. Nev. 2019) involved a hotel employee who cloned Mifare master keycards and used them to access guest rooms. The employee had a legitimate physical-access badge to enter the property. Which principle does this case establish that is most directly applicable to Flipper Zero NFC use?

AEmployees authorized to physically occupy a facility are implicitly authorized to clone any credentials used in that facility.BPhysical authorization to be in a building does not constitute authorization to clone or use cloned credentials to access systems in that building.CMifare Classic cards are not "access devices" under § 1029 because they do not directly authorize financial transactions.DCFAA does not apply to hotel keycard systems because they lack sufficient interstate commerce nexus.