Our Response to the Canadian Government
In just a few years, Flipper Zero has become so popular that it’s now surrounded by many myths. It’s no wonder that people in power are trying to make Flipper Zero illegal. As you might have seen in the news, the Canadian government plans to ban Flipper Zero as part of their efforts to combat auto theft.
We believe that proposals like this are harmful to security and slow down technological progress. They are usually made by those who do not really understand how security works and will do nothing to solve the car theft problem. In this post, we’ll explain why banning Flipper Zero instead of fixing security threats is not the solution.
What happened?
At the National Summit on Combatting Auto Theft held on February 8, François-Philippe Champagne, the Canadian Minister of Innovation, Science and Industry, announced measures to combat the rise in car theft in Canada. As one of the measures to address this issue, he proposed to ban Flipper Zero because he claims the device is being used to steal cars with keyless entry systems🤯. (Spoiler: this is not true)
Community response
Francois-Philippe Champagne also tweeted about the announcement, which received close to 900K views and 800 replies, becoming one of the most criticized tweets in his career. Here are some replies:
By the way, at my CanSecWest conference some researchers recently showed how to use a Raspberry Pi to relay bluetooth to unlock poorly secured Bluetooth car locks. Does this mean you are going to try to outlaw computers too?
— dragosr (@dragosr) February 9, 2024
If you knew anything about technology you would know the flipper and others are just simple ARM processors with basic sensors attached. Nothing ground breaking this will not stop a thing but makes it look like your doing something. The trick of politicians everywhere and it is…
— Adam Taylor (@ATaylorFPGA) February 9, 2024
The announced plans to ban Flipper Zero also caused a discussion on Hacker News (see here and here). Many users have said this ban won't fix the issue of insecure cars:
neilv
09.02.2024 1:00
|
[–]
|
The Flipper Zero is a general-purpose tool and STEM educational device. By banning the device, a country would be setting back their workforce of engineers and scientists a bit. How can you use a Flipper Zero to steal a car? Flipper Zero can't crack hard encryption. Is the real problem that cars were made with security that they already knew was negligently weak at the time? If so, is a recall of those cars more appropriate? |
advael
09.02.2024 2:50
|
[–]
|
So if I'm reading this right, they're banning something that is too underpowered to run the exploits people are using to steal cars (which are only possible in the first place because car companies' threat model is mostly about their customers rather than thieves) in order to pretend to do something about car theft |
The Canadian Repair Coalition has issued a statement regarding our situation.
Simplistic solutions, such as banning a device without a thorough understanding of its functions and benefits, are counterproductive, and we encourage the government to do better.
[Canadian Repair Coalition] Jasvinder Mann, Alana Baker & Dr. Alissa Centivany
How car theft actually works
The Canadian government news release mentions that the announced ban on Flipper Zero is one of the measures to combat the theft of cars with keyless entry systems. To find out if Flipper Zero can be used to steal such cars, it's important to understand how keyless entry systems work and what car thieves do to hack them.
What is a keyless entry system?
Cars with keyless entry systems are designed to unlock when the key fob is in close proximity without requiring the owner to press a button on the key fob. Simply touching the door handle is enough to trigger the car's sensors and unlock the doors. The engine then starts with a press of a button on the dashboard when the key is nearby. After that, the key fob won't be necessary until the next stop.
Once again, the engine will remain running and the doors unlocked — even if the original key fob is not in proximity of the car, which is exactly what car thieves exploit.
How thieves hack keyless entry systems
To steal a car with a keyless entry system, thieves work in pairs and use radio repeaters to trick the car into believing the key fob is nearby when it's actually inside the victim's house.
To do this, thieves establish a connection between the car and the key fob using two repeaters. They hold one repeater near the car and another as close as possible to the house to reach the key fob inside. The thief next to the house uses a repeater with a large antenna that can pick up signals even through a wall. Since key fobs are usually left near the front door, a thief with such a repeater can easily locate them. Once connected, the car and the key fob assume they are near each other, which allows the thieves to unlock the car door and start the engine.
To transmit signals to key fobs through walls, thieves need huge antennas and powerful repeaters. All video-documented cases of car theft show that theft equipment takes up a lot of space in thieves' backpacks.
What hardware thieves actually use
Car theft equipment for every car brand can be found on special websites for car thieves. Just google "keyless repeater
" to get a long list of websites that offer car theft tools with worldwide shipping, with prices ranging from €5,000
to €14,000
.
After learning about the sophisticated tools thieves use, let’s have a look at the Flipper Zero’s capabilities. Can it actually be used to steal cars?
Can Flipper Zero hack a car?
There are many videos on social media where kids promise to “hack the Pentagon” using a Flipper Zero to gain more views. Such content has created lots of myths and is used by journalists who don't bother with fact-checking. It's not surprising that some politicians have started to propose bans based on false information. To fix this, we'll try to bust some popular myths surrounding the Flipper Zero by answering the questions below:
— Can you steal a car with Flipper Zero?
We are not aware of any officially confirmed cases of theft using a Flipper Zero. This is because the device has limited functionality and can't be used as a repeater to attack keyless entry systems. Flipper Zero is equipped with only one sub-1 GHz radio module, while keyless repeaters have 4 radio modules: one for communication with the car, another one for communication with the key fob, and two for communication between the repeaters.
— But Flipper Zero operates at the same frequencies as remote controls
Yes, Flipper Zero can indeed receive and decode radio signals. However, intercepting the radio signal from the remote control won’t be enough to unlock a modern car because they use encryption to securely provide access. The most popular encryption system used in car keys is rolling code, where every press of the key fob button generates a different encrypted radio signal. This security feature helps prevent basic attacks that only require a $2 radio module.
— What is the difference between static and rolling code?
A static code is a fixed set of numbers access control systems use to grant access. Every time the user presses a button on a remote, the same set of numbers is sent. It is enough to capture such a signal once, which can then be endlessly replayed to grant access.
A rolling code is a changing set of numbers. This means that whenever the user presses a button on a remote, it generates a unique code based on a sequence known only by the access control system. Simply capturing a signal and replaying it wouldn't provide access since this set of numbers has already been used.
How to "hack" a radio signal with a piece of wire
Although cars using static codes were discontinued around 20 years ago, they are still in use. The main vulnerability of such cars is that their radio signals can be easily captured and replayed without sophisticated tools. In fact, static codes are so insecure that they can be "hacked" with a piece of wire connected to a PC's microphone input:
Technical details (click to expand)
- Key fob radio waves at a frequency of
433 MHz
are picked up by the antenna and passed into the microphone input that captures them as an audio signal when recording sound. - The key fob uses
OOK
modulation, where data is encoded through periods of presence and absence of a carrier frequency433 MHz
. The resulting signal has such a low switching frequency that we can see it in the captured audio signal, even though the sound card can’t capture a signal of a frequency as high as433 MHz
. The diode
is needed to allow only the positive half-wave of oscillations to pass into the microphone input. Since the amplitude of oscillations in the resonant circuit is symmetrical, if they are fed directly into the microphone input without a diode, the digitized signal will be nullified.The capacitor
is required to block direct current (DC) from the microphone port from reaching the resonant circuit. Sound cards always supply a slight direct current to the microphone port, because it is needed for a microphone to work.- In the video above, the audio is recorded using Audacity. The resulting .WAV file is processed in Universal Radio Hacker (URH) to decode the signal using the Princeton preset.
This example shows the absurdity of all attempts to ban devices like Flipper Zero. To protect against the interception of radio signals, it would be necessary to ban all electronics, including headphones, which is unrealistic.
The Flipper Zero is built with hardware components used in thousands of devices ranging from radio toys to educational DIY kits. For example, the CC1101 radio transceiver inside the Flipper Zero has been widely used since its release in 2007. The problem is not in the available radio hardware, but rather in the insecurity of outdated access control systems.
Security through obscurity doesn't work
Security through obscurity is a cybersecurity concept where a system's design is kept hidden from attackers to prevent them from exploiting its vulnerabilities.
However, once the inner workings of a system are exposed (which is only a matter of time), its vulnerabilities become evident, leaving it open to exploitation.
- In 2012, a vulnerability was discovered in hotel room locks manufactured by Onity. These locks were widely used in millions of hotel rooms across the globe. The discovery revealed that with a simple device that could be plugged into the DC port found on these locks, a person could bypass the card reader and open the lock within seconds.
- In the GSM mobile communication standard, the A5/1 encryption algorithm has been used for data encryption since 1987, with its security relying on the secrecy of the algorithm. The standard became widely adopted, but in 1994, the algorithms were disclosed, and millions of mobile phones became vulnerable to wiretapping. en.wikipedia.org/wiki/A5/1
Bans can't protect insecure systems
Instead of banning cybersecurity tools capable of finding vulnerabilities in security systems, these vulnerabilities must be fixed. The cybersecurity industry has long recognized that bans do not fix insecure systems, but instead only cause more problems by creating a false impression that proper measures have been taken. Let’s have a look at real-life examples.
HTTP vs HTTPS
The current state of access control systems can be compared to the evolution of the World Wide Web (WWW) protocol . In the past, websites used the insecure HTTP protocol, which lacked encryption. This made it vulnerable to data interception by anyone along the way or via Wi-Fi. Since internet traffic was routed through the equipment of many companies, there was a high risk of data interception.
The HTTP protocol was replaced by HTTPS ("s" meaning secure), which fixed security vulnerabilities by providing data encryption. HTTPS has become the standard for secure communication on the web.
Credit Cards: magnetic stripe vs chip
In the past, bank cards used magnetic stripe technology to store and transmit cardholder data. These magnetic stripes were easy to clone or skim. Criminals used skimming devices to steal card information, which allowed them to clone cards for unauthorized transactions.
To fight credit card fraud, chip cards were introduced. These cards use advanced technology with embedded microchips that generate unique transaction data for each transaction, making it extremely difficult for criminals to clone these cards.
Sign our petition to save Flipper Zero
We hope we've properly explained why banning Flipper Zero makes no sense. Such measures do nothing but harm innovation and security. Now, it is our objective to convey this information to the government of Canada. Please, sign the petition.
What else can I do?
- If you are in Canada, contact your Member of Parliament and share this information with them. If you are a member of a political party in Canada, please pass this information on to its representatives.
- Get in touch with us if you believe you can help
pr@flipperdevices.com
- We express our gratitude to the Canadian members of our community who have created a public initiative to save Flipper Zero: saveflipper.ca