The federal government of Canada is banning the Flipper Zero due to its alleged use in car thefts. The feds say criminals are using the Flipper to steal cars by intercepting and copying wireless signals that key fobs emit. This is mostly wrong, according to Vice, which cites cybersecurity experts who say the Flipper is being targeted because the feds don’t understand how the device works. They just need someone (or something) to blame for the country’s surge in auto theft, and they’ve chosen the Flipper Zero as the fall guy.
This is more or less a case of that one uncle who can’t toggle airplane mode declaring a national emergency has been caused by a new gizmo. The Canadian government is using anecdotal accounts and TikTok videos — which have been proven to be staged for social media — as evidence that the Flipper Zero is being used by car thieves despite its hardware limitations. Per Vice:
Flipper’s popularity has resulted in the device being named as a target in an upcoming National Summit on Combating Auto Theft, where the Canadian government claims, without any evidence, that the device is being used to steal cars.
“Criminals have been using sophisticated tools to steal cars. And Canadians are rightfully worried,” wrote François-Philippe Champagne, the Canadian Minister of Innovation, Science and Industry, in a tweet. “Today, I announced we are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.”
Canada does have a problem with car thefts at the moment tied to organized crime networks, but there’s no evidence that Flipper Zero is playing a major role in these thefts. The Flipper Zero scans frequencies and records signals that can be replayed. While the Flipper Zero can do this for a car key fob, allowing a user to open a car with the device, it only works once due to the rolling codes that have been implemented bycar makers for 30 years, and only if the key fob is first activated out of range of thecar. More effective approaches used by criminals involve actually plugging a device into a car with a cable or employing a “relay” (not replay) attack that involves two devices—one by the car and one near the fob, which tricks the car into thinking the owner is nearby.
The Zero is a portable pen-testing tool (short for penetration testing,) which can be used to glean information and test an object’s resilience to remote attacks. Users can hack devices that rely on wireless communications and RFID, but this does not enable the Flipper to steal the majority of new cars, which use rolling codes and immobilizers to prevent theft, as Vice explains:
When reached for comment, Flipper Devices COO Alex Kugalin reiterated that modern cars are largely protected from the simple attacks the device is capable of. “Flipper Zero can’t be used to hijack any car, specifically the ones produced after the 1990s, since their security systems have rolling codes. Also, it’d require actively blocking the signal from the owner to catch the original signal, which Flipper Zero’s hardware is incapable of doing”, said Alex Kulagin, COO of Flipper Devices.
The cybersecurity community has spoken out against the Canadian ban, with some experts pointing out the futility of criminalizing a device that’s reportedly already being used by the criminal community:
“We shouldn’t be blaming manufacturers of radio transmitters for security lapses in the wireless unlock mechanisms of cars,” Bill Budington, Senior Staff Technologist at the Electronic Frontier Foundation, said in a statement to Motherboard. “Flipper Zero devices, because of their ease of use, are convenient scapegoats to blame for gaping security holes in fob implementations by car manufacturers. Banning Flipper Zero devices is tantamount to banning a multi-tool because it can be used for vandalism, or banning markers because they can be used for graffiti. Moreover, tools like the Flipper Zero are used by security researchers involved in researching and hardening the security of systems like car fobs—banning them will result in tangible harms.”
[...]
Security experts lined up to lambaste the Canadian government and its insistence that the device is enabling crime. “Instant reactive thought… Isn’t stealing a car already a crime - that the criminal is ok breaking?” wrote security consultant Josh Corman.
When Wired looked into the Flipper Zero’s use-cases, it found that the device could easily be mistaken for a device that enables crime. The Flipper can scan and clones wireless transmissions, but it can’t copy or replay encrypted signals due to hardware constraints.
Wired reviewers used it to “steal” tire pressure info from nearby cars, for example. The Flipper is hardly the device the Canadians say it is, but that hasn’t stopped government agencies — including U.S. Customs and Border Protection — from going after the tamagotchi-like device.