You may have seen news reports about the “secret” Flipper Zero firmware that allegedly hacks any car, as covered by The Verge, Gizmodo, 404 Media, and The Drive have all written about it.  Let’s dive in to see whether this claim holds up (major spoiler: it doesn’t).

What happened

Some darknet online stores have started selling so-called “private” firmware for Flipper Zero, claiming it can hack countless cars. They say new vulnerabilities have “leaked” online that make it possible to break dynamic protocols like KeeLoq.

In reality, all of these methods were published more than 10 years ago — nothing new at all. The authors of such firmware are simply recycling well-known vulnerabilities and presenting them as “new hacks.” And importantly, these vulnerabilities have nothing to do with real car theft, since they do not allow you to start the engine.

How the KeeLoq protocol works

KeeLoq was developed in the 1980s and used in older access systems like garage doors and early car alarms. It’s what’s called a rolling code or hopping code system. The idea is that every transmission uses a new unique signal, encrypted with a 64-bit manufacturer key. This manufacturer key is the weak spot of KeeLoq. The problem was that carmakers often used the same key across an entire model line. If that key leaked, an attacker could intercept signals from any remote of that brand.

The authors of these “hacker” firmwares are just redistributing old leaked manufacturer keys from various automakers. None of this is new — these vulnerabilities were thoroughly documented back in 2006: https://web.archive.org/web/20221206050746/https://www.cosic.esat.kuleuven.be/keeloq/

Since then, car manufacturers have moved on to more modern radio protocols with two-way authentication, where the car and the key exchange messages to verify authenticity.

You can “hack” it with just a piece of cable

Because analyzing the encrypted protocol is passive, all you need for an “attack” is to record the remote’s radio signal. You don’t need Flipper Zero — even a piece of wire connected to an audio jack would do.

How car theft actually works

Intercepting a remote signal is not enough to start a car. That’s why these KeeLoq attacks have nothing to do with real-world car theft.

Today, real thieves target keyless entry/start systems by attacking the key fob directly. They use a combination of relays and transmitters that proxy the signal from the real car key, tricking the car into thinking the key is nearby.

We covered this technique in detail in our article: Response to Canadian Government

TL;DR: Real car thieves don’t use Flipper Zero — they have purpose-built relay tools. Here’s a video showing how cars are actually stolen with these devices:

Conclusions

• The so-called hacker firmwares for Flipper Zero don’t add anything new — they just reuse techniques documented since 2006.
• Real car thieves use completely different, specialized tools.
• If your car could be attacked with Flipper Zero, it could just as easily be hacked with a piece of wire.