The Flipper Zero is a general-purpose tool and STEM educational device. By banning the device, a country would be setting back their workforce of engineers and scientists a bit.
How can you use a Flipper Zero to steal a car? Flipper Zero can't crack hard encryption.
Is the real problem that cars were made with security that they already knew was negligently weak at the time? If so, is a recall of those cars more appropriate?
The Flipper Zero is a general-purpose tool for engineering and information security research. By banning the device, we will be doing a disservice to our country’s practitioners in these fields, while doing little to thwart car thefts.
If possession of a device like Flipper Zero is the enabler for car theft, then it leads me to believe that such cars had negligently insecure encryption from the day they were manufactured, and a recall of such cars would be more appropriate.
Very nice. I like how concisely you hit the points. And also that you can note you're a constituent, tech business owner, and tech expert.
If different people want to mix up approaches, and hit various notes, to see what resonates, a couple thoughts (as a tech nerd, not a political communicator):
* "Information security research" has different connotations for different people. No matter how professionally you conduct yourself and respect the term, and no matter how much you promote the term positively as professional... if a particular reader considers the term to be a euphemism for behavior they think should be curtailed, and they think that's the only use of FZ, that might hurt your effort. (Unless you can find a way to promote both at the same time, to those readers, without compromising on either more than you want to.)
* All the hobbyist experimenting and building things, by kids and adults alike, I consider constructionist "education", which is valued. And I suspect it doesn't hurt to say "STEM", as a keyword for the kinds of jobs and economic development this leads to. (Imagine kids figuring out how modern devices work, which today requires more than just unscrewing an appliance and finding the motor and gears. Or getting interested in the RF that backs much of our global technology infrastructure, and inspired to pursue engineering or science. Or using that knowledge to build things that help get them into universities, or that become a tech startup company.)
You may want to add that the average person's phone is many times more powerful and capable than a flipper. The dual use tools that can steal cars are so ubiquitous in society (such as a cheap laptop) that no amount of device banning will make a lick of difference.
> leads me to believe that such cars had negligently insecure encryption
While accurate, the standard may not be as rigorous as you'd like to imagine; there was a time not long ago when a wire coat hanger was enough to unlock a car.
I remember that time. We even used it once on a friend's car. However, we did not ban wire coat hangers. I'm sure the politicians would agree that would have been silly, but common sense seems to leave them when it comes to tech.
A lot of vehicles - my wife’s 2015 Kia included - have a very flawed implementation of rolling key encryption. Basically, you need to capture three consecutive keys. The receiver is programmed to allow any future key (in case the fob was pressed away from the car), and will happily reset to past keys when you send three consecutive keys in sequence.
Ostensibly this is to avoid people’s fobs from becoming “unpaired” somehow if the car receives a future key. You just hit the button a few times and it works. In practice, it’s trivially easy to exploit.
Here's the unfortunate part of how the Canadian government works. Many of our laws (legislation) defer the specific implementation details to regulations. This specific ban likely doesn't need to go through the House of Commons or the Senate and can just be passed as an Order-in-Council that directs ISED (Canadian FCC) and CBSA (Canadian CBP) to modify their regulations to prohibit the device from use and import respectively. So long as there's an existing law in place that defers to regulations for banning specific devices or specific categories of devices, those regulations can be modified without parliamentary oversight.
It's the same approach they used for their recent (last 5 years) firearm bans. Whether or not I agree with what they're trying to accomplish with the bans, the ability to arbitrarily ban specific items without meaningful oversight isn't great for democracy.
Can a FZ assist in enrolling a new key in the ECU immobilizer’s list of approved keys, or does it just facilitate a relatively quiet way of unlocking the doors?
Because honestly there are lots of ways of gaining access to the inside of a vehicle, and if it can’t enroll a new key it’s neither necessary nor sufficient for stealing a vehicle.
A lot of the weak security now being exposed by the Flipper Zero (but they already existed and were actively being exploited) are the result of trading in security for convenience.
An example: Contactless payments, I can pay up to €50 by just pressing my bank card against the receiver. Very convenient, but, anyone can hold a receiver up to where I have my card and steal money that way. There's insurances of course, in this case the bank is pretty clear in saying "we know this is a risk and you will be compensated", same as with their apps etc. But it is a tradeoff.
> How can you use a Flipper Zero to steal a car? Flipper Zero can't crack hard encryption.
It’s impossible, you can’t even use it against garage doors rolling keys without accessing the garage unit and program it like a new remote. The ban has nothing to do with car theft.
Someone on the plane I was on kept triggering it to do bluetooth attacks ('not your airpods') while I was trying to read (and have my earphones on connected via bluetooth so fuck me right?).
There's hacked firmware's you can install [0]. I understand that there are probably tons of other devices like this out there but this one was SO fucking popular and easily accessible.
I've already seen this thing abused and used in a super obnoxious way. Frankly I think you should be arrested for having it on in the passenger cabin of an airplane.
A person messing with RF while in an airliner should probably be arrested, I agree with that part.
Probably best not to have the tool in carry-on, even powered-off, and I'd understand if TSA didn't permit that (like they wouldn't let a chef carry-on their knives, another tool with very legitimate purposes).
Messing with bluetooth on an airliner isn't going to do anything at all. If they were attempting to spoof GPS or playing with VHF signals that's another issue but the flipper isn't capable of that.
The TSA also doesn't care, they don't look for, and don't remotely have the training to detect suspicious electronics. Even if they did the flipper looks very innocuous unless you know what it is. You can reliably get much more entertaining things onto airplanes without them batting an eye.
It can do something. Many people depend on Bluetooth insulin pumps for instance, and in an airplane they may not have access to the alternatives in case the device stops working.
You don't need a flipper zero for that. A simple esp32 (also the base of a FZ) can do it and even an android phone can.
It's a dick move but banning the hardware doesn't do anything because you can port such simple hacks to any platform. It's the action that should be policed.
I get that this lowers the barrier to entry, but presumably you could do something similar with a software package to make your laptop do the same thing? AFAIK it uses off the shelf radios and firmware so I don’t really understand the framing here that this device is ok but others aren’t. Especially as others point out it’s unlikely this has anything to do with making car theft easier nor to interfere in any way with the safe operation of the plane.
Yeah, this panic over the device is weird when it feels like a nothing burger. I can understand it in the general populace that doesn’t understand tech, but the reaction on HN by some commentators on a forum literally dedicated to hacking on things is weird to see.
It’s like getting upset by a lock picking set except this isn’t even a lock picking set and more like a door knob diagnostic tool.
I am on the fence here. In terms of difficulty, isn't it basically like surfing on someone's unprotected wifi and being surprised that someone can see what you are doing?
I am not excusing the behavior, but I also don't see arrest as an appropriate remedy.
There are good reasons to ban a device like that on an active passenger flight. A modern airplane relies on a lot of radio frequency communication I think.. a reason for strict ban is - there is no feedback to the person in the passenger area when they stomp on some sensitive channel, or they may notice but find it exhilarating perhaps..
I'm a private pilot, but I can't think of any flight critical systems that could really be impacted, especially since the Flipper Zero is very low power. I suppose that it could affect cabin systems like on-board purchasing or seatback entertainment. An unlocked android phone has very similar hardware and capabilities.
This is in no way an endorsement of fucking around with one on an airplane, or even off an airplane when used without the consent of the target.
That seems reasonable to me, but I don't think that was the OPs proposition ( arrest the user ). Ban on a plane is fairly strong, but a lot more reasonable. At least compared to blank ban on electronics that included gameboys and walkmen, this one makes sense.
It’s only facially reasonable to people not familiar enough with RF on a plane. This isn’t in the right radio bands to interfere with anything to do with the safe operation of a plane and it’s using off the shelf radio chips and firmware that would have the appropriate channel switching when they detect a sensitive communication (no different from the stuff the WiFi chip in your laptop and phone are doing when connected to the plane’s WiFi). People were rightly concerned (even if overly conservative and in practice it would be ok) about 3g + planes but since 4g it’s been a solved problem and WiFi has been doing coex with radar channels for forever and if if I recall correctly Bluetooth is too low power to really cause a problem. And to reiterate, flipper zero afaik is using the same off the shelf radio hardware and firmware that would be found in any other product so it wouldn’t be any more dangerous to plane functioning than those products. I really am confused by the FUD being leveled at flipper zero and where it’s coming from.
I've learned a lot from mine, especially how many types of access control RFID work. And I've been working on commercial SDR projects for the past decade.
What kind of projects? I've been looking at moving that direction but most of the fun SDR work is classified stuff and the commercial world seems pretty happy with ancient superhet architectures for the most part.
The problem always comes down to lack of responsible use. Great, you learned a lot. Others are using it for harm. So now we have a problem.
Look at the state of CB radio. Anybody can buy and use one. The airwaves are clogged with the trucker equivalent of YouTube Poop. It's like being in a fucking mental hospital.
Ham radio requires licensing. There are still cranks but now there's a barrier to entry for most of them. It's still usable.
Lockpicks are illegal to carry in parts of America, unless you're a licensed locksmith.
Look at the state of the internet, 1997 vs now. The difference is we onboarded everybody.
Broadly speaking, trolling/crime (and tools to perpetrate it) should not be frictionless. Attacks on infrastructure (malware, etc.) are getting too expensive and social attacks are basically free to execute and costly to respond to.
You can bring any western company to a grinding halt by getting a bunch of entry-level stooges to file false workplace violence and other complaints indiscriminately in bad faith. There's no cost or consequence for this, and the company will panic trying to accommodate in good faith, but do the same with police reports and everyone gets charged with misdemeanors for abusing the system.
> By banning the device, a country would be setting back their workforce of engineers and scientists a bit.
You're pulling a "Think of the children" here. Rest of your comment is fine, but this first statement doesn't hold water. Any incredibly small number of engineers and scientists would ever use this device. A Raspberry PI, Ardiuno, or other general purpose micro controllers and small form computing devices sure, I could believe that. But some niche device, no.
Edit: I wasn't aware of the popularity of the device, as suggested by comment below, when I wrote this
RF devices are already ubiquitous, the technology and applications keep growing, and there's emerging opportunities for innovative applications.
FWIW, I "funded" the Kickstarter for Flipper Zero because my startup was doing something a little innovative with various kinds of RF tags, to help solve a significant societal problem. (Which, besides what we could've contributed to a country in monetary value of our company, the application domain had significant implications for national economies, as well as for public safety. All things that lawmakers care about, in addition to reducing auto thefts.) We had Android diagnostic software, plus bespoke iOS apps with NFC that I wrote, but a Flipper Zero would've helped me work better and faster at some things.
The Flipper Zero is a small-form computing device that is immensely popular, not particularly niche.
> Any(sic) incredibly small number of engineers and scientists would ever use this device.
I personally know over a dozen people who own them and have tinkered with them in various ways. I managed to "break" my air conditioner unit (permanently setting it to C, not that bad of a "break") with one. Definitely less popular than a Pi or Arduino, but growing in popularity very fast.
Numbers? I see in 2023 they did 80m rev which is what, half a million devices sold worldwide? That’s very niche. % wise close to 0; it’s a geek tool. Nice but not immensely popular.
You'd be surprised how much 500K means if you're not Samsung or Apple. There's recent products you'd say were clear hits and sold an order of magnitude more than that, but in actuality, it was exactly 350K.
But I didn’t say 500k is not a lot or that it’s not successful; I say that it is a niche and it’s not immensely popular. It’s successful in its niche. Again, the comment I replied to used those terms and that’s just not true. I don’t care and wish them all the luck and selling 100m of these things, but if I have to think about how many zeros behind the comma to write the % of human owners, this is not a non niche or popular product. Knock on your neighbours door and ask what it is; they won’t know and they also would never ever buy one.
It's not a niche device - it's explosively popular and is obviously serving as a gateway for some young people into engineering and hacking.
I couldn't possibly comment on the practical consequences to STEM of banning it. I wouldn't make that argument. But it's silly to claim that it's a "think of the children" argument and nothing more.
How can you use a Flipper Zero to steal a car? Flipper Zero can't crack hard encryption.
Is the real problem that cars were made with security that they already knew was negligently weak at the time? If so, is a recall of those cars more appropriate?