I mentioned this last time it came up[1] but I'll mention it again, if anyone is directly affected by this precedent being potentially set, please reach out to me. A little more context, I'm the founder in residence at a very large Canadian law firm, and we have a government relations group. I'd be willing to use a bit of my budget to see if we can't push into this somehow.
I'm curious what the impact of this would be on non-flippers.
The flipper is just some common off-the-shelf radios and microcontroller, albiet in a nice package. That's it. Like common radios found in your everyday stuff, like say a garage door remote.
Would regulations affect every product using these? I assume they'd have to in order to have any teeth? Would this impact a developer who wants to buy an cc1101 evaluation board for development?
This is very much my concern. Flipper is cool and all, but I'm more concerned about the chilling effect it might have across the industry. As pierat mentioned in the comments here, it could end up being a real mess and hamper innovation in Canada, that's why I'm willing to stick my neck out a bit.
The term "chilling effect" gets thrown around a lot online, but if this isn't the correct application I don't know what is. I truly can't imagine the thinking behind such sloppy legislation.
I also love the touching naivety of legislators who seem to think that to stop bad people doing things all you need to do is pass laws making the bad things they do illegal.
> I also love the touching naivety of legislators who seem to think that to stop bad people doing things all you need to do is pass laws making the bad things they do illegal.
This is something that always frustrated me for hot button political issues. One side wants to make the thing everyone already agrees is bad double illegal, and the other side wants enforcement of existing options.
Or if we're talking about something that ought to be done. One side wants to throw money at the problem; the other side suggests that people should just try to not have bad things happen to them.
Ultimately, the refrain endlessly repeated is that people who want something to happen or don't want something to happen both want someone else to fix it. Somehow.
Lets make flipper zero illegal. Huh, someone stole the car again. Using a (now illegal) flipper zero (I mean technically it sounds like this isn't being facilitated by flipper zero, but use some imagination for a sec). Now what are you going to do. Make flipper zero MORE illegal? Stealing a car is already pretty high up there in terms of things that people don't want you to do.
The neat thing about automation and consumer electronics is that I can fix things myself. I don't have to influence a policy that is going to harness the efforts of potentially millions of other people (taxes, more laws, enforcement).
> Stealing a car is already pretty high up there in terms of things that people don't want you to do.
This is the core flaw in laws like this and DMCA 1201.
You have something which is already illegal, people are breaking the law, so you pass a law to make it illegal to have shoes because the criminals were wearing shoes while breaking the law. Obviously this needs to be prohibited because it helps them to run away.
Then criminals continue to both commit crimes and wear shoes and all you've really done is force people who obey the law to go barefoot.
"Make things you don't want people to do harder" can be a pretty reasonable course of action even when you can't make them impossible.
The real problem isn't that you can't make things harder (certainly we could cross the threshold "can't sell off-the-shelf products that make car theft easy"), it's how far you get into making things harder before you hit tradeoffs making entirely innocent things harder.
And where that tradeoff stops being worth it isn't always clear. Personally I'd like the convenience of a device like Flipper Zero but it's hard for me to say that my right to have someone else make me something turnkey trumps people's rights to maybe not have it quite so easy to have their cars stolen.
And yes, I absolutely get it that people will still make/have them. That's not the point. The point is that fewer people would, the fruit gets higher hanging and that changes the statistics. Worth it? Maybe, maybe not, but it's not a ridiculous position.
My frustration isn't that it's a ridiculous position. I can appreciate the line of thinking that's behind "make bad things harder".
My frustration is that this is just kicking the can down the road for someone else to handle.
In the case of the Flipper, this is asking manufacturers to stop making the Flipper. It's asking Retailers to stop selling the Flipper. It's asking the producers to end their Flipper product line. It's asking regulatory entities to checkup on all of the above to make sure they're complying. It's asking police to keep an eye out for these devices. And it's asking the public to surrender their property.
In short, someone has a problem and their solution is for EVERYONE else to do all the work.
In this instance, if you hold an important government position and your car keeps getting stolen, maybe you could pay to have someone watch your car. Or pay to have a better security system installed.
If think that if you want the world to change, then you should put in the effort to make it different. However, very often what I've been seeing is that people want the world to change and their contribution is to figure out how to compel other people to do the work for them.
To be extra crispy clear: the justice minister's governmental car has indeed been stolen three times in three years. But there have been two different persons who were minister in the last three years to whom it happened.
I would suggest you also look into potential illegalization of things like SDRs like the HackRF portapack, and other SDRs.
My kit can easily do a LOT of naughty stuff. JUst because I can, doesn't mean I do. But again, this won't just be a flipper zero ban, but a SDR RX/TX ban.
(Im aware the flipper0 is not a SDR, but using the chip Texas Instruments CC1101 chip, but is functionally able to record/playback IQ-ish data.)
Before anyone asks "Why is a Canadian law firm concerned with the USA?", the headline by Vice is hideously misleading: "Feds" as in the Canadian federal government, not the US federal government.
Writing like this is one of many reasons I despise "journalism" now.
I have some empathy because a lot of "journalists" writing the news aren't actually journalists by trade or training, but rather marketing or "social media gurus" or similar nonsense that hasn't taught you how to judge source material, and because they are under immense pressure to do more with less than their ancestors, so nearly every article is just someone else's press release with a little flair added. In many ways, journalism of today is empirically worse off and less useful than journalism of yesterday, simply due to it's seeming takeover by marketing types who have a lose understanding of what we should consider "truth" because they like to make money.
But it's so insane when people act like we didn't go to war with spain in 1890s over a supposed attack on our warship that DID NOT HAPPEN, and then didn't increase our involvement in war with vietnam over a supposed attack on our warship that DID NOT HAPPEN, and then we didn't go bomb the desert for two decades because they were full of supposed WMDs that DID NOT EXIST. Yellow journalism is older than your grandparents.
This is vice.com not vice.ca. If Vice.ca said the feds I'd assume Canada. A .com I shouldn't know at all what it refers to, but given that almost nothing is in .us I generally assume .com means US.
Context is very important, and the context implies US so it is important to specify.
No, I hate headlines that are unnecessarily vague or misleading.
"Canada wants to ban the Flipper Zero" would have been the same word count and infinitely more descriptive.
Also, I'm not going to read the contents of every bloody article. Especially if the contents don't particularly interest me. Headlines exist for easy and reasonably accurate summarization, which this one fails to do.
You don’t have to read the article. The sub headline includes the context of the country being Canada. “Canada is moving to ban the TikTok-famous Flipper Zero, claiming that it contributes to car thefts. It doesn’t.”
The least you could do is refrain from commenting on articles that you haven’t even clicked on.
The least the article could do is make it clear before I click, that I don't need to click on it because it's the same news I already read days ago... especially since I am passingly familiar with Vice and know they have a significant amount of US coverage as well.
But then they wouldn't get clicks that are ultimately worthless to literally everyone involved except for them!
Yeah, but by being vague they don't lose the clicks from anyone who would think "Not my country so no need to read about it!" - this way they can instill a sense of panic/indignation in everyone no matter what English speaking country with "Feds" they are in.
Canada also has a federal government. The USA is not unique in being made up of smaller units with their own governments with an overall federal government at a higher level.
Yeah but a US website saying the feds totally implies the US government. I assumed the feds were the US and I'M CANADIAN.
And I mean it's not the only stupid thing that journalists do. I just so happen to live near the capital of the country. I'll see articles that say Ottawa wants to ban single-use plastic bags. The city of Ottawa, or the federal government by using the capital city name as shorthand? Then you read the article and it is often impossible to find clues to indicate which organization wants to do the thing.
I appreciate providing the context. however the overgeneralization and emotio al excursion on "journalism" is missing the point of thinking the implicit context of a world wide forum is the usa. the headline per se isn't misleading, not is journalism. what's misleading is the implicit bias in our heads.
Wouldn't you assume that the implicit context of a non-world-wide forum such as a news site was the USA, if almost every article you had previously seen from that forum was covering social or political issues in the USA?
Here's their top (place-specific) headlines right now: Tucker Carlson+Putin (US/RU); Alejandro Mayorkas (US); Trump/Taylor Swift (US); Neo-Nazi concerts (EU)
I suspect it does affect the manufacturers indirectly: if you make an insecure car (ahem, Hyundai/Kia),
theft rates and insurance premiums rise. That in turn means that residuals (resale values) go down which affects the profitability of leases and reduces demand for new cars, at least until the flaws are fixed.
I don't think most people check stuff like that when buying a used car. They just go for the one that has the features they like. Most people don't even price out insurance until after they buy, which means it won't affect resale.
The Kia one maybe just because it is so well known, but in most cases it probably has no effect at all.
Really? Checking the insurance cost and taxation is the first thing you do here in Netherlands. For used cars you can fill in the license plate and get direct information.
Right, but they have a lobby, so that will actually be met with resistance. This approach was chosen as it's a quick way to appear that you're doing something to combat car theft without actually meeting a lot of political resistance.
Instead of fixing swiss cheese cars, maybe try catching and punishing the criminals. Just because i hold my phone in my hand and not in a locked safe doesn't mean you can take it.
Because this is not an easy crime to catch or punish, these cars are so easy to steal a layman can do it in minutes without making much noise, take it to a chop shop, and be off with some money in no time.
Getting better at identifying and shutting down these chop shops is a good idea obviously, but that's also hard. On the other hand, forcing companies who didn't give a shit about security for years to pay for retrofitting the shitty cars they put out is actually a lot easier.
Radar detectors usually do emit some radio as a byproduct of how the receiver works. Plus it lets the radar detector companies sell radar detector dectors to the cops. And upgraded radar detectors to the chronic speeders that can detect the dectector detectors. Etc.
(Background: many pre-2023 or so Hyundai, Kia, and Genesis models have a catastrophic security flaw that allows thieves to open, start, and drive affected vehicles without needing any access to the key fob at all. This is far worse than a signal cloning or relay attack and has resulted in skyrocketing theft rates and spiralling insurance costs in many countries…)
Nothing to do with immobilizers: that was a separate issue that was apparently fixed in 2021.
It’s a wireless attack that affects late model cars with proximity-based keyfobs (ie: ones that do not require a button to be pressed on the fob for the car to detect it), including 2022 and 2023 models such as the Ioniq 5 EV:
Instead of putting money towards educating great cybersecurity professionals to overcome the bad actors, some folks want to get one tool banned. By the time ban comes in effect, I bet that there will be even more nifty tools than Flipper Zero.
The folks who suggested or agreed on this ban ignored how tech moves faster than law creation and enforcement.
Depends entirely on the particular attack and the particular implementation. Even rolling code systems have vulnerabilities (e.g. relay attacks), they're just harder to attack.
Relay attacks can be defeated by precisely measuring the latency between the car and the fob/key device. Apparently relay attacks on Teslas are very difficult now days for this reason.
Went ahead and ordered one of these last week after hearing stories about a potential ban. No idea what I’m going to do with it, but not being able to get one made me want to have one just to play around with.
For the hacker minded electronics geek, you can build out the same utility of the Flipper for pennies on the dollar from components if you can solder and write a bit of software in C or even Micropython. SDR is a pretty big hobby.
This move is really akin to banning a Hello Kitty Lockpick set after discovering most locks are snake oil, instead of demanding reasonably secure locks be sold instead.
That is true you can cobble shit on a breadboard. And it's highly non-portable and extremely anti-usable.
Having a simple nice form-factor for something that can do under 1GHz am/fm, BTLE, IR, dallas 1wire, and pinouts for expansion in a simple smaller-than-cellphone device is pretty sweet.
Sure, script kiddies will be script kiddies. And sure, they shouldn't do bad shit, but they will. It's also your responsibility to run reasonably secure stuff.
And no, the FCC won't help you. You're not big money like cell, digital TV, or avionics.
Having done actual RF, electronic, software, and encasement design - it's nowhere as simple as "cobble it and 3d print a case and done". If it was, we would have seen a Flipper Zero like thing ages ago.
Prove me wrong. If it's that simple, point me to a blog or github that you execute on all the assets within a week. (because it aint)
The case is not trivial, not crazy, but not trivial. It's also the least hard part about putting together a similar package. A non-EE type person could probably get some dev boards from sparkfun/adafruit, and connect them up to a raspberry pi with some sort of display with some buttons. But that last mile of getting them to play nice, not be a massive battery hog, and have simple/usable software is man-months of work. This also assumes you have a passing knowledge of circuits and are decent enough programmer to get a job, neither of which are low bars
This is likely @pierat's point: sure, it's possible, but your diy version will be objectively worse in a variety of ways while also taking you a pretty long time to put together.
I agree, the skill acquisition time and effort would keep out script kiddies and normal consumers, but there's a large number of people who do have these skills, especially on this site.
> That is true you can cobble shit on a breadboard. And it's highly non-portable and extremely anti-usable.
I've already done basically this level of stuff for my own custom bluetooth mechanical keyboard projects (a keyboard is larger overall, for obvious reasons, but the space beneath it where you can fit electronics is quite limited) and I've made a few resin cases for other electronic hobby projects. The software side of the Flipper is much more time investment but still something I could do if I was fully motivated and had no other obligations getting in the way. Or I would just cheat and specifically use the same STM32WB55 microcontroller and re-use the existing Flipper's firmware directly. Designing a case and a PCB for something of the Flipper's complexity is really not that hard. A day or two each.
Honestly, I find the Flipper's case to be pretty poorly designed for actual usability, it's mostly just directly exposing hardware externally in as small of a space they could get away with, it's a complete pocket brick otherwise. It's a striking visual design with the angles but actually kind of terrible at slipping in and out of your pocket and is awkward and clumsy to use one handed or subtly. Cell phones (at least up until very recently) carried similar radios, IR blaster, SD slots and ports in much better and smaller form factors, and are so normalized in public use that it might have flown under the radar both in consumer's eyes and regulator attention if it wasn't actually so visually distinctive.
I'd be highly interested in a cheaper DIY version, even if it were slightly uglier or bulkier. I don't feel I could do it well from scratch, but a tutorial or even a kit (like truSDX).
I own a 3D printer, and have a couple Raspberry Pis and breadboards in a closet somewhere. But there’s no way I’d have the time or inclination to put everything together in a way that is actually worth it over just paying $169 for a flipper. Someone already posted it but this reminded me of the “I don’t get the point of Dropbox when we already have FTP and CVS” comment from 2008.
If you have the skills to build a GHz SDR from components, and write some C to attack a car starter, you probably have better ways to make $2k than stealing a car. Evilduck obviously has better things to do.
Releasing a Hello Kitty SDR makes these attacks practical for a much less capable population who actually will go steal a car.
I can testify that the bike theft industry in Toronto was driven by one mad genius for a generation. Igor Kenk was like a spiderman villain. He ran a vertically integrated business: providing specialized tools for cracking locks; training on their use; and then providing coke/crack directly for stolen bikes eliminating the cash-handling risks of the business. Just a total mad Chad.
If Flipper enables another guy like Kenk to build an empire of idiot car thieves, I can understand the butt-hurt.
One thing it's great at is discovering how easy it is to hack your own stuff. Garage door? Car? Anything bluetooth enabled? Your wifi? It's a great way to ground yourself in an understanding of what the security level is that you accepted in your day-to-day life, and then go "huh. And I guess that's been more than secure enough for me for years, so now I know my baseline".
Well, it was soon after they really got their shipping rhythm going.
I got mine in the mail, it sat on my desk for a few weeks because I was busy with other stuff, and it made me sad to just have it sit there unused. I wasn't completely sold on getting rid of it, so I put it on ebay for what I assumed to be an outrageous price, and it was gone within an hour. I shoulda bought 2!
Presumably having a flipper in your pocket, if the ban happens, will subject you to legal liability and something tells me the penalties will be less than stealing a car. So the people who are trying to use the flipper zero to commit a greater crime will simply not care and carry on because who cares about a misdemeanor when you are about to commit a felony.
Organized criminals can get bespoke hardware simply by hiring skilled labor overlooked or outcast by industry. Skilled tech-based criminals can build their own kit.
This hurts mostly people who want to get into some form of security or hacking and at best maybe stops high school antics but threatens to upend the entire way hackers have always honed their skills by doing and tinkering and also upending the small industries that support them and the security professionals who use the gear in production.
I wonder if this ends up being more like lockpicks in practice. It's legal to own lockpicks but some jurisdictions consider possessing a lockpick to be prima facie intent to commit crime.
That at least heads toward rationality. Something along the lines of if you are caught with a flipper zero during the commission of a crime AND the flipper zero was used to further it then it becomes a "burglary tool" or some such classification.
I kind of hate the Flipper Zero on principle. It's basically a script kiddy device for hardware. People use them to essentially DDOS cell phones with BLE connection requests. You can do it with any micro controller with a 2.4ghz radio, but this thing makes it easy for annoying people to just pull a script from the internet and make it everyone else's problem.
Seems like the focus should be on who is allowing and enabling this type of usage. Manufacturers, since they do not act of their own free will, need to be compelled to actually release secure software.
If anything, I love that the Flipper Zero is revealing how vulnerable a lot of this technology is. It hasn't been this easy before to execute radio hacks while mobile, nor in such a game-like/product format. Consequently, I think many people have not realized how secure their devices actually are.
It seems that people are finally becoming aware of how unsafe many of these products are. Unfortunately, they are mistakenly focusing the blame on the wrong party.
Fixing the security holes also protects everything against truly "evil malicious" actors, not just "fun malicious" actors, so it has its benefits to force manufacturers to up their game.
There's a limit to how resilient you can make wireless communication. Ultimately protocols like Wi-Fi relies on everyone on the frequency working together to facilitate smooth communication. If you want to disrupt that, then you'll always be able to throw a wrench into that.
Denying communication will always be possible, you just have to be loud enough to drown everyone else out. But spoofing stuff doesn't have to be possible. You can design rf communications with various kinds of encryption that makes spoofing very difficult.
RF jammers also expose how vulnerable most RF devices are to DOS attacks. But I don't think that's particularly helpful to anyone, nor should those devices be unrestricted in their distribution or use.
RF spectrum inherently requires rules and cooperation -- if it were a free for all, user beware type of situation, it just wouldn't work.
The Flipper Zero scaremongering isn't about DoS attacks, but about protocol attacks. It probably could be used as a jammer but that's not interesting. It's more useful for demonstrating that a lot of firmware is about as secure as using plaintext telnet with u/p "admin/admin".
The GP mentioned DoS attacks which was why I pulled on that thread. The vulnerabilities exploited by this Flipper Zero are not novel, they're already known to industry experts. The main difference with this device that they're more accessible to non-technical folks. That in and of itself is bringing attention to the issue, but is that really helpful? To me, it seems akin to handing out bricks in nice neighborhoods to highlight the security weaknesses posed by windows without bars on them. Security is not without cost. The ideal society to live in is not one with the most security, it is the one with the most trust.
A lot about order in society relies on most mischievants being actors of opportunity.
I’ve worked in infosec for decades. Yes, it’s absolutely helpful to bring attention to the issue. Manufacturers have historically ignored findings that didn’t get press. That’s why groups like Google’s Project Zero have policies to disclose vulnerabilities after the vendor has been given a reasonable window to fix them in. It’d be awesome if the vendors would fix their stuff without that pressure, but again, data shows that most won’t.
I think the brick and window analogy fails here. Thing is, the real bad guys generally already know about the best weaknesses to exploit. I think a better analogy would be pointing out that a storefront in a high-crime area doesn’t actually have glass in its windows. Robbers already knew that. Now the locals are telling the shop owner that they need to install some windows, quickly.
> Thing is, the real bad guys generally already know about the best weaknesses to exploit.
Who are "the real bad guys"? Highly motivated, highly intelligent attackers? That's a valid concern if you're a high value target, but most people aren't. The vast majority of crime is the result of ease and opportunity, not expertise.
I live in a place with high rates of vehicle thefts. Essentially all of them are performed by low skill attackers who use low skill attacks at the physical layer. Carjackers don't care about anyone's rolling code implementation.
I don't think Flipper Zero is anything to worry about, most abuse is probably just going to be edgy kids who are doing annoying things, unsyncing their friend's car keys, etc. But I disagree with the general sentiment that any proliferation of tools that escalates the need for security is always a good thing. Generally, increasing the opportunity and ease of crime is a bad thing.
While I get and appreciate your point, I still disagree. If a vulnerability is patched, it doesn't matter if there are 1 or 1,000 tools targeting it. In the case of small, RF-configurable systems, there are already enough in the wild to get the attention of bad actors. I was in a conference where someone discussed exploratory attacks they'd found where an attacker would target an embedded medical device, compromise it, then have the device emulate a Bluetooth keyboard to target the victim's work computer.
I genuinely believe that the makers have such devices have coasted way too long on security through obscurity. These weaknesses need to be highlighted so that there's political pressure to fix them. If someone users a Flipper Zero or the like to attack a cochlear implant, they should be punished for it. So should the manufacturer of the implant who released an insecure medical device into the wild. If the Flipper's popularity is what draws attention to the broken medical device, then good for Flipper! Maybe they'll patch the problem before North Korea can use it to launch cyberattacks.
I think that's a naively academic and cryptographically focused view of security.
Bad actors are not a monolith. There are many different types of attackers with different means and motivations who will take different actions against different targets and different types of technologies. Threat profiling is a thing for a reason, and it absolutely does matter whether or not a particular threat has the means and/or motivation to exploit a vulnerability. It is the only thing that does matter, outside of a technical academic context.
Yes, security through obscurity is not an rigorous approach to implementing a cryptography system, but it is a completely valid approach in other security disciplines outside of cryptography or digital security. Too many people make the mistake of incorrectly assuming that cryptography security principles apply to the broader practice of security as a whole. Digital security is only as useful as it is to support a holistic model of security. Digital security in isolation is just an academic exercise. It has to be implemented to be useful, and when implemented, operational security and threat modeling are very relevant.
> If a vulnerability is patched, it doesn't matter if there are 1 or 1,000 tools targeting it.
It does matter what the real-world observed rate of patch compliance is, the cost to patch, and whether or not those tools will be used nefariously. If you have an academically obscure remote exploit for a pacemaker, that requires a hardware patch, please don't write a script that makes it easy for non technical people to exploit, and post it on GitHub. While this will certainly encourage a fix to future pacemakers, the cost may not be worth it.
Manufacturers can do better but aren't these users committing felonies? Why aren't we focusing on that? Also- maybe we don't want to deal with all the extra BS that secure RF requires.
This is the common excuse for adversarial hacking, and while it has some basis in fact it's also a justification for the endless security arms race and downward spiral into zero-trust. As the man said “Your scientists were so preoccupied with whether they could, they didn't stop to think if they should.”
On the other hand, it's exposing just how sloppy devices are with their wireless signals + code handlers.
IIRC this is in Canada, but in US (and probably Canada too), FCC has rules against creating harmful interference. Fine + punish the people creating the interference, rather than the tools that people can use to learn, debug + protect these devices that are vulnerable.
There is nothing this can do that a normal microcontroller can’t do. banning this device does nothing to harm penetration testing. it just mitigates the ease with which these exploits can be widely abused.
That's kind of the point though - the more widespread you see it being used the more likely it is that the tool itself will get more attention and the targets of the tool will get more attention. The point of a bill like this is to show the population that politicians are doing something, and trying to avoid nation/global news covering the topic.
For another example of similar politician behavior just look at how LA is handling the graffiti towers. They're driven by concern about being on the national stage and the corruption of the whole system being put on display, not about the graffiti.
Fine + punish the people creating the interference
This isn't a realistic solution because the difficulty of identifying people abusing these devices is high. The usual US approach is to jack penalties up way high to offset the low probability of capture, which inevitably leads to disproportionate sentences and an even greater erosion of respect for the legal system.
That's like saying any infrastructure is sloppily done because it's vulnerable to DDoS attacks. DDoS attacks are already illegal, but people still perform attacks. That's not the site operator's fault, and it's victim blaming.
Except here "DDoS" means "one person with a $200 radio". I don't expect my devices to stand up to prolonged attacks against state actors. I do hope they can survive someone sending them invalid packets.
Oh they'll survive invalid packets. It's the sheer amount of packets that are the problem, and wireless signals are just inherently hard to protect against malicious jamming.
That's not true. Again, forget jamming for a little bit. You can build a jammer with any random spark gap transmitter. The novel attacks are one where a Flipper Zero can send an iPhone 1,000 "hey, I'm an Apple TV, wanna hang out?" messages in a row and the phone acts on each of them. Even if you space those messages out so that they only take a tiny percent of available throughput, the phone's response to the messages will still make it unusable.
Because such a flood is now easy to trigger, phones now implement rate limiting that effectively mitigates the attacks. After all, you're not legitimately going to see 1,000 Apple TVs trying to connect at once, so there's no need to give each one of them personal attention.
Do you also dislike say the arduino or the raspberry pi which popularized sbcs/microcontrollers, as they can be used for nefarious tasks? What about bell labs, without whom none of these issues would have occurred?
Technology will always develop, it's important to plan and regulate it, sure, but bans are need to be extremely carefully thought out to enforce well.
Even the smallest amount of friction to acquiring a device like this (e.g. you have to build your own and flash your own firmware) would prevent basically all the attacks we see on the news with a Flipper. "Script kiddies", by definition, are buying pre-made, turnkey devices and lack the ability to build their own.
This is a really expensive device in Canada, and you do have to flash the firmware if you want access to the more harmful capabilities.
The people stealing cars are an international organized group that have managed to exploit holes in the federal government, the railroad companies, and the ports. The way they are stealing these cars is outside of the capabilities of a stock flipper, and requires custom hardware.
Banning the flipper is going to do precisely nothing to increase the friction on the problem they are trying to solve.
The major ports (Montréal and Vancouver) are controlled by organized crime. But those people are scary (and/or well-connected). Much easier to go after hobbyists.
Sport shooters can insert a certain James Franco meme here.
If you choose, as Flipper Zero has, to market your device as a tool for "pentesting radio protocols, access control systems, hardware", I think you have some responsibility to mitigate the obvious and trivially foreseeable consequence of people using it to just outright penetrate those things.
That's fair, I wasn't aware that was how they advertised it. I would hope they use more responsible advertising, however I still don't think that deserves it to be banned.
They don't, for example, make posts on the front page of their public website (https://flipperzero.one/) about specific technologies such as key cards which are subject to easy exploitation.
i’d be more forgiving of the device if it had practical utility beyond “fucking up other people’s shit”. for me it’s in the same category as stink bombs, glitter bombs, and vuvuzelas.
I use mine to open my own garage door and I use the GPIO pins to check if some of my I2C devices on my breadboards are using the correct address they are supposed to be using.
Presumably since they have access to their own garage door the Flipper can be synced as a new remote without any "hacking" or brute forcing rolling codes.
It's also a pretty useful device if you are into electronics. Or need backups of your access cards. Or of your silly garage key fobs. There are many great uses of this thing. I'm also annoyed by the script kiddies, but I do like the device. A lot.
Script kiddies aren't new, they will always be around regardless of the tools. The response is build better tools to mitigate their rudimentary attacks.
That works OK if you can deploy through the net. But many devices are not net connected (eg garage door openers) and we've seen the many problems with trying to make every electrical appliance net connected - surveillance, data leaks, remote shutdowns, device bricking when then IP connectivity goes down. Technology shouldn't force consumers into endless upgrade cycles in the name of better security.
I don't think it is limited to skiddie use, it's a nice hardware platform that is pretty easy to write for. I've gotten my kabuki desuicide pretty much functional on it. It's already FCC'd, has a BMS and lots of other things that are a pain to get right.
There is something about lowering the bar to disruption, and the possibility of this causing a bit of a reckoning for devices that don't do a good job of "Accepting any interference received"
Part of the problem is that the design feels somewhat toy-like with the bright plastic etc. This makes using it feel like a game, and masks the seriousness of potential consequences. Some people have implanted insulin pumps and other medical devices controlled over bluetooth, and a flipper zero user may have no concept of this.
That last bit is absolutely infuriating. Medical device manufacturers are cranking out insecure devices that rely on security through obscurity. No, I don't think people should be using Flipper Zeros to hack someone else's insulin pump. It's also unforgivable that someone should make an insulin pump that another can hack with a Flipper Zero.
I use netcat for legitimate things every day. If someone made an IP server that I could hack with netcat, they should be ashamed of themselves. It's not netcat's fault that their security sucks. Well, same with Flipper Zero.
People use them to essentially DDOS cell phones with BLE connection requests.
That's one of the situations where I'd feel justified in taking a device and stomping it to bits, and I'd support anyone else doing the same.
If anyone does encounter this in the wild with Apple devices, first, install your damn updates because I'm pretty positive this is now blocked, but in the meantime turn on Lockdown mode to keep this from interfering with you.
You might feel justified, but courts would likely disagree.
Apropos of anything else, the FCC regs around the 2.4GHz spectrum are pretty explicit, "Part 15 devices ... must accept any interference that may be received". In their eyes, the device that is flawed is the phone, not the Flipper.
I've been at a conference where someone decided doing this would be amusing. I'm pretty positive there would have been widespread support for addressing the issue with a little property destruction, with the alternative being "Congratulations, you've shown you can't play nicely. Your admission to the conference is revoked, you're blacklisted from our future conferences, and we'll let the organizers of other local conferences know your name and why you're banned from our conference so they'll be forewarned."
As for courts, if this hadn't already been resolved (at least on iOS) I wonder if you could request that jurors and the judge turn their phones on for a demonstration. Given the state of Android updates in the general public, it'd probably still be effective on a significant percentage of people.
I believe there's equivalent language (even for licensed uses) about not causing interference, so probably the Flipper and the phone are doing poorly here.
My understanding, entirely possible that it is incorrect, is that the "not causing interference" is to "authorized services", i.e. specifically licensed frequencies and users/devices, not other users of those "free-for-all" spectrums. But I may well be wrong, in which case I would agree with you.
Agreed. I get why folks on this site repeat the mantra that it's shedding light on insecure hardware, and of course that's true. But civilization depends not on ironclad laws and politics, but on good faith actions. An unhackable society would be a pretty miserable one.
Buddy, I'm from Ukraine and drone jammer and drone early warning schematics are basically public knowledge at this point. Drones mostly use the same sub-1GHz bands, 2.4 GHz bands and 5 Ghz bands that other consumer electronics also use. You can't put this genie back into the bottle. Both radio- and cyberwarfare are here to stay. Y'all just don't know it yet.
After the war there are going to exist a whole bunch of people who know how to deny GPS, defend against drones, build attack drones that bypass primitive countermeasures, spoof mobile networks, monitor the RF space for unencrypted signals, and set up actually secure comms. And not all of them are going to remain completely silent about all of this. Toys like Flipper are going to be the least problematic. Banning it achieves nothing.
This, I saw an anecdotal Reddit post about a guy DDoSing cell phones in a restaurant and showing off to his table. These kind of devices attract the worst people.
These devices attract the very kind of people who cause them to get banned. Sure the device is fine, but not the assholes who want them to fuck with other people.
I got the black Kickstarter-only version. I got interested in coding in C again. My (now) ex broke up with me over this thing on the mistaken notion that I was messing with her somehow electronically. I got told i had to leave. Tonight. And take all my electronics with me. She cited having her "black hat friend" looking into it and he said it was pretty evil. I am sure she is reading the recent news with some level of satisfaction.
I bought another a couple months later and if I can get over my ADHD, I still hope to make the radio chat useful.
What do you love about it? I have one and I've only used it very occasionally (e.g. https://blog.jgc.org/2024/02/repairing-sort-of-dyson-fan-rem...). I did make a backup of the NFC card that I use to charge my car because it's super useful to have a duplicate, although even that I barely use because I'd need to carry the Flipper Zero around with me.
Or just get a few smart home products, connect your devices, and automate everything from you phone. Easier than carrying around your Flipper Zero at home.
What is the use case for a flipper zero and a treadmill?
There are plenty of automations you can do with a treadmill and a smart plug, but I can't think of a single use for a treadmill and any of the components in a flipper zero.
Are you just turning on the fan from the treadmill? That would be better served using a power reading from the treadmill and an IR blaster.
You can tie in other automations as well. I have mine setup to turn off a light that causes a TV glare visible only from the treadmill and to turn on an extra speaker next to the treadmill
Why on earth would you do that? An IR blaster costs $25 and will connect to Homebirdge so you have it in Apple Home (or Android whatever). I made 2 dehumidifiers and 2 floor fans “smart” by buying the cheapest possible smart plugs on Amazon, an Amazon branded smart plug cost me $1 during a sale.
BroadLink RM4 Mini IR Universal Remote Control, Smart Home Automation Wi-Fi Infrared Blaster https://a.co/d/8GnOVRU
That covers the floor fan. Now I need a radio blaster to control the ceiling fan and treadmill. So two extra devices, plus having to set up new automation integrations. This all sounds WAY more complicated than just cloning the remotes like I've done. Would it be more flexible/powerful? Absolutely. Do I need any of that? Absolutely not.
Then you pay $15 more for the IR/RF blaster combo and a $35 raspberry pi 3. If you can copy an image to an SD card you can install homebridge (or home assistant). You already saved money over the $169 cost of a flipper zero and your fans/treadmill can come over whenever you enter the room or at a certain time of day.
If you can play with a flipper zero you can setup automation.
OP said only one device was infrared and you don't know how their other devices behave when just turned off and on. Also, smart plugs can only turn things off and on., whereas OP cloned the whole remote.
named after the virtual dolphin from the movie Johnny Mnemonic
The dolphin was named Jones not Flipper. And Jones was also a part of the short story that predated the film adaptation by several years. Check out "Burning Chrome," William Gibson's collection of short stories, for this and others. Well worth the read.
Yes, Flipper was the name of a dolphin in a 1960s TV show of that name (that has had various TV and movie reboots since). That's the reference they were going for.
I’ve had wireless hire cars. Horrible things, never sure where they key is and tend to come with “features” like automatically locking and setting the alarm if you walk away from the car
And then they unlock automatically when you walk back to them. Much more convenient than having to manually fumble for the lock and unlock buttons. Not sure what the problem is here!
Park at a convenience store. Go in to get a coffee. Leave friends in car. Friend decides they want a coffee too. They open the door-- car alarm goes off. I'm sure some cars are better programmed but this has happened to me in several cars. (For the record, I still prefer keyless!)
Crazy idea – what if we just got back to physical keys for car?
At any point did you stop and ask yourself, "I wonder why they put that fence there?"
Simple, cheap, ecological, durable – what's not to love?
What's not to love is the part where even a random HN user who hasn't professionally worked on cars in over 30 years could probably be driving down the road in your car before your dog even barks. Go ask some (probably former) Kia and Hyundai owners.
So, you're bringing computing machinery into this? Then we're not really talking about physical keys anymore, are we? Sounds like we're talking key exchange, immobilizers, and all kinds of stuff beyond simply "physical keys".
Do you mean physical keys before the advent of immobilizers? Go ask Kia or Hyundai how well that works for preventing your car being stolen.
Meanwhile, the wafer locks used for car keys to allow them to be used "upside down" unlike your house keys are super easy to pick, because wafers are inherently flexible and the tolerances have to be lax.
Rolling code key fobs and immobilizers are actually the most secure cars have ever been, and made it way harder to steal cars in general right up until two brands wanted to save 100$ per car and ALSO design them in the most stupid way possible (the raw key cylinder is easily accessible and manipulatible to anyone with a rock, compared to other brands that bury the cylinder itself deep into the steering column so it's protected).
We don't need any new law, we just need Kia and Hyundai punished for cheaping out on important security features.
If Ford tomorrow replaced all keys with a button with no security, would you want to ban fingers? The fingers aren't actually the problem here.
Hyundai learned this pretty recently. Physical keys are insufficient to prevent casual theft of vehicles. Even a properly designed ignition cylinder retention system is no match to someone with a fence and a drill.
Canada also makes transponder keys mandatory, because it's just too easy otherwise.
For one, we never quite managed to convince people that the wiggly bits of metal were an important secret that should not be photographed. Cryptography can in principle be harder to duplicate/impersonate. (If, and big if, it's implemented correctly)
I mean - why don't we just integrate the dongle signal being necessary to unlock the car into the existing process and still require a physical key. As a bonus the key could be designed to interface with the car to communicate any signing tokens over a wired connection in the key socket instead of having any radio/wireless capabilities at all.
I think physical keys are considerably less secure. Car thefts have been on the upswing for the past few years, but the rates are still much, much lower than they used to be when cars with physical-only locks were common.
Cars with keys only are much easier to steal. You just have to break the physical barrier and and twist the keyhole in the column, for example, rather than dick around with a device. I guess it depends what type of criminal you are.
Most vehicles already have a physical key as a backup to open the door. The alarm will go off if you do this and the RFID in the keyfob is still required to start it up.
The fact that you effectively need two keys to steal the car is more secure.
I hate to burst your bubble but there's almost no physically keyed lock systems that are meaningfully secure and of the lock types that are difficult, none of them are featured in cars as far as I'm aware and employing those types of lock in cars is probably more expensive than what's currently being done.
See Lockpicking Lawyer popping many car lock types in these videos. If he wasn't trying to show and tell on a video, most of these car locks would just take a few seconds in skilled hands.
Physical keys combined with [actually] secure electronic or radio combinations are still your best bet, though Kia and Hyundai felt like they could save a buck by not doing that. But even still, if the user can trivially or quickly unlock something, there's a good chance the design constraints will force a compromise that weakens security.
> I hate to burst your bubble but there's almost no physically keyed lock systems that are meaningfully secure
That's obviously the same for FOBs, except that you don't even need to hide yourself to fraudulently open the lock, as you can do everything hidden a couple meters away.
It's definitely a scapegoat, but aren't some of the statements in this article false? For example, I thought it can be used in NFC relay (not replay) attacks with an app. I also thought there are alternative firmware options that you can use to precompute values to roll forward codes.
It certainly is a scape goat, the law should be trying to prevent the misuse of technology rather than the ownership of technology. Like guns it is the misuse that kills not the ownership. Most people being killed by gun are from unlicensed and unregistered firearms and it is a misuse. Same should be said about technology as well.
If you purchase a firearm from an FFL anywhere in the United States, you are required to fill out an ATF form 4473 and do a NICS background check. There isn't a giant database of all firearms in the US indexed by owner and serial number, but those 4473s do exist and are handed over to the Federal government pretty regularly by FFLs.
> licensing
In most places (eg those with "Constitutional Carry"), the only license you need is to not be a prohibited person (not mentally ill, a felon, no violent misdemeanors involving stalking or domestic violence) and old enough to purchase a gun in the relevant state. But if we just go by raw population, most people in the US would need to go through a more substantial process.
The current government of the Trudeau Liberals knows what actual steps it could take to combat car theft, involving dismantling organized crime controlling the ports, and does not want to do it. Instead, they create a scapegoat, ban it, and pretend that they're doing something.
None of these are the same class of device. They're all specific hardware for specific tasks that are handled by the small handheld flipper. While the flipper may not be as great of a device as each of these, none of these are smaller and definitely not cheaper.
What OP was looking for was more along the lines of the Arduino / ESP projects build much like the flipper.
I assumed from the title that the American feds wanted to ban the Flipper Zero. Canada is a small country, and "Feds" in English almost always refers to the national government of the United States.
The United States is not the entirety of the world. There are many other countries that are federations, and some of them have English as one of their national languages. I can assure you that in those countries, colloquial use of "feds" does not refer to the American federal government.
The flipper zero is ISED(CA FCC equivelant) conformant/certified. In stock configuration, it transmits only in bands where no license is required, such as the ISM bands.
However, the operator is ultimately responsible for the emissions of their devices.
[1]https://news.ycombinator.com/item?id=39310369