惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Vercel News
Vercel News
The GitHub Blog
The GitHub Blog
博客园 - 【当耐特】
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Recent Announcements
Recent Announcements
D
Docker
GbyAI
GbyAI
酷 壳 – CoolShell
酷 壳 – CoolShell
WordPress大学
WordPress大学
The Cloudflare Blog
雷峰网
雷峰网
A
About on SuperTechFans
小众软件
小众软件
博客园 - Franky
博客园 - 聂微东
F
Full Disclosure
大猫的无限游戏
大猫的无限游戏
C
Check Point Blog
MongoDB | Blog
MongoDB | Blog
G
Google Developers Blog
Microsoft Azure Blog
Microsoft Azure Blog
U
Unit 42
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
V
V2EX
Engineering at Meta
Engineering at Meta
宝玉的分享
宝玉的分享
aimingoo的专栏
aimingoo的专栏
量子位
P
Proofpoint News Feed
Hugging Face - Blog
Hugging Face - Blog
博客园_首页
罗磊的独立博客
Martin Fowler
Martin Fowler
D
DataBreaches.Net
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
S
Secure Thoughts
Project Zero
Project Zero
L
LangChain Blog
阮一峰的网络日志
阮一峰的网络日志
C
Cybersecurity and Infrastructure Security Agency CISA
T
Tailwind CSS Blog
S
Schneier on Security
Blog — PlanetScale
Blog — PlanetScale
The Hacker News
The Hacker News
Spread Privacy
Spread Privacy
Security Latest
Security Latest
NISL@THU
NISL@THU
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
C
CXSECURITY Database RSS Feed - CXSecurity.com
J
Java Code Geeks

hackers Archives - VICE

Hackers Are Spreading Malware Through LinkedIn Comments Now Hackers Took Over Transit Ads with Messages from Queer Palestinians in Gaza ‘Windows for Gamers’ Rolls Dice With Your Security Senator Asks Big Banks How They're Going to Stop AI Cloned Voices From Breaking Into Accounts The Car Thieves Using Tech Disguised Inside Old Nokia Phones and Bluetooth Speakers Smart Garage Company Fixes Vulnerability by Breaking Customers' Devices Hackers Can Remotely Open Smart Garage Doors Across the World The Cure Tried to Stop Scalpers. Brokers Are Selling Entire Ticketmaster Accounts Instead Inside the DEA Tool Hackers Allegedly Used to Extort Targets
Feds Want to Ban the World’s Cutest Hacking Device. Experts Say It's a ‘Scapegoat’
Janus Rose · 2024-02-13 · via hackers Archives - VICE

The government of Canada has its sights set on banning the Flipper Zero, an adorable handheld hacking device that is cherished by security researchers and hobbyist hackers and has gained a sizable following on TikTok.

The device is modeled and named after the virtual dolphin from the movie Johnny Mnemonic, and it’s essentially a Tamagotchi you can use to hack stuff. Flipper can scan radio frequencies and clone key fobs, control infrared-based devices, and is generally a kind of Swiss Army knife for security researchers, who actually use it to improve device security. It’s also used by hobbyists who like playing around with computers,  and more generally it’s just really adorable. But there’s a lot of misinformation floating around about its capabilities due to bombastic—and often staged—videos on TikTok and other social media platforms.

Videos by VICE

Flipper’s popularity has resulted in the device being named as a target in an upcoming National Summit on Combating Auto Theft, where the Canadian government claims, without any evidence, that the device is being used to steal cars.

“Criminals have been using sophisticated tools to steal cars. And Canadians are rightfully worried,” wrote François-Philippe Champagne, the Canadian Minister of Innovation, Science and Industry, in a tweet. “Today, I announced we are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.”

Canada does have a problem with car thefts at the moment tied to organized crime networks, but there’s no evidence that Flipper Zero is playing a major role in these thefts. The Flipper Zero scans frequencies and records signals that can be replayed. While the Flipper Zero can do this for a car key fob, allowing a user to open a car with the device, it only works once due to the rolling codes that have been implemented by car makers for 30 years, and only if the key fob is first activated out of range of the car. More effective approaches used by criminals involve actually plugging a device into a car with a cable or employing a “relay” (not replay) attack that involves two devices—one by the car and one near the fob, which tricks the car into thinking the owner is nearby.

Champagne linked a press release for an upcoming national summit where government will be “Pursuing all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero, which would allow for the removal of those devices from the Canadian marketplace through collaboration with law enforcement agencies,” according to one the conference’s agenda items. The press release does not include any evidence that the device is being used for auto theft.

Naturally, this has riled digital rights groups and sections of the hacker and cybersecurity community, who are both upset and unsurprised that the Canadian government has their beloved Flipper in its crosshairs.

“We shouldn’t be blaming manufacturers of radio transmitters for security lapses in the wireless unlock mechanisms of cars,” Bill Budington, Senior Staff Technologist at the Electronic Frontier Foundation, said in a statement to Motherboard. “Flipper Zero devices, because of their ease of use, are convenient scapegoats to blame for gaping security holes in fob implementations by car manufacturers. Banning Flipper Zero devices is tantamount to banning a multi-tool because it can be used for vandalism, or banning markers because they can be used for graffiti. Moreover, tools like the Flipper Zero are used by security researchers involved in researching and hardening the security of systems like car fobs—banning them will result in tangible harms.”

Canadian digital rights group OpenMedia concurred that banning the Flipper Zero would do more harm than good.

“A ban on sale of general purpose tools like the Flipper Zero will do more to hurt than help Canadian cybersecurity,” said OpenMedia Executive Director Matt Hatfield. “The core problem here is the vulnerability of the keyless entry systems cars are using, not the fact that ordinary technology can reveal this vulnerability. By blocking the lawful sale of these devices, Canada will make it harder for cybersecurity researchers to do their work of testing vulnerabilities and informing the Canadian public, while doing little to prevent motivated car thieves from acquiring tools and exploiting these vulnerabilities.”

When reached for comment, Flipper Devices COO Alex Kugalin reiterated that modern cars are largely protected from the simple attacks the device is capable of. “Flipper Zero can’t be used to hijack any car, specifically the ones produced after the 1990s, since their security systems have rolling codes. Also, it’d require actively blocking the signal from the owner to catch the original signal, which Flipper Zero’s hardware is incapable of doing”, said Alex Kulagin, COO of Flipper Devices. “Flipper Zero is intended for security testing and development and we have taken necessary precautions to ensure the device can’t be used for nefarious purposes.”

The company pointed Motherboard to a January 2023 alert from the New Jersey Cybersecurity & Communications Integration Cell, a state organization. The alert stated that “most modern wireless devices are not vulnerable to simple replay attacks” and added that the Flipper Zero is unable to make purchases using signals captured from contactless credit cards. The alert also pointed to reporting from Wired that stated most of the dramatic videos on TikTok showing a Flipper Zero being used to steal a car are likely staged.

The proposed ban prompted bemused reactions from cybersecurity professionals on social media. “The only thing that can stop a bad guy with a Flipper Zero is a good guy with a Flipper Zero. I have a right to protect my family and community,” wrote security researcher Wesley McGrew, in a cheeky tweet referencing the frequently-used pro-gun rhetoric. McGrew also responded to Champagne’s post with a “Come And Take It” meme spinning off the popular libertarian slogan.

Security experts lined up to lambaste the Canadian government and its insistence that the device is enabling crime. “Instant reactive thought… Isn’t stealing a car already a crime – that the criminal is ok breaking?” wrote security consultant Josh Corman.

Others mocked the government’s belief that devices like Flipper Zero are dangerous and all-powerful hacking tools. “I don’t find the Flipper to be that useful. Its built-in radio frequency support is barely more than you get from a good rooted phone. And I was unable to purchase the RF frequency modules because they were sold out. But imagine that *this* is considered a threat!” wrote Matthew Green, a professor of cryptography at Johns Hopkins University.

Jordan Pearson contributed reporting to this article.