Seems like the focus should be on who is allowing and enabling this type of usage. Manufacturers, since they do not act of their own free will, need to be compelled to actually release secure software.
If anything, I love that the Flipper Zero is revealing how vulnerable a lot of this technology is. It hasn't been this easy before to execute radio hacks while mobile, nor in such a game-like/product format. Consequently, I think many people have not realized how secure their devices actually are.
It seems that people are finally becoming aware of how unsafe many of these products are. Unfortunately, they are mistakenly focusing the blame on the wrong party.
Fixing the security holes also protects everything against truly "evil malicious" actors, not just "fun malicious" actors, so it has its benefits to force manufacturers to up their game.
There's a limit to how resilient you can make wireless communication. Ultimately protocols like Wi-Fi relies on everyone on the frequency working together to facilitate smooth communication. If you want to disrupt that, then you'll always be able to throw a wrench into that.
Denying communication will always be possible, you just have to be loud enough to drown everyone else out. But spoofing stuff doesn't have to be possible. You can design rf communications with various kinds of encryption that makes spoofing very difficult.
RF jammers also expose how vulnerable most RF devices are to DOS attacks. But I don't think that's particularly helpful to anyone, nor should those devices be unrestricted in their distribution or use.
RF spectrum inherently requires rules and cooperation -- if it were a free for all, user beware type of situation, it just wouldn't work.
The Flipper Zero scaremongering isn't about DoS attacks, but about protocol attacks. It probably could be used as a jammer but that's not interesting. It's more useful for demonstrating that a lot of firmware is about as secure as using plaintext telnet with u/p "admin/admin".
The GP mentioned DoS attacks which was why I pulled on that thread. The vulnerabilities exploited by this Flipper Zero are not novel, they're already known to industry experts. The main difference with this device that they're more accessible to non-technical folks. That in and of itself is bringing attention to the issue, but is that really helpful? To me, it seems akin to handing out bricks in nice neighborhoods to highlight the security weaknesses posed by windows without bars on them. Security is not without cost. The ideal society to live in is not one with the most security, it is the one with the most trust.
A lot about order in society relies on most mischievants being actors of opportunity.
I’ve worked in infosec for decades. Yes, it’s absolutely helpful to bring attention to the issue. Manufacturers have historically ignored findings that didn’t get press. That’s why groups like Google’s Project Zero have policies to disclose vulnerabilities after the vendor has been given a reasonable window to fix them in. It’d be awesome if the vendors would fix their stuff without that pressure, but again, data shows that most won’t.
I think the brick and window analogy fails here. Thing is, the real bad guys generally already know about the best weaknesses to exploit. I think a better analogy would be pointing out that a storefront in a high-crime area doesn’t actually have glass in its windows. Robbers already knew that. Now the locals are telling the shop owner that they need to install some windows, quickly.
> Thing is, the real bad guys generally already know about the best weaknesses to exploit.
Who are "the real bad guys"? Highly motivated, highly intelligent attackers? That's a valid concern if you're a high value target, but most people aren't. The vast majority of crime is the result of ease and opportunity, not expertise.
I live in a place with high rates of vehicle thefts. Essentially all of them are performed by low skill attackers who use low skill attacks at the physical layer. Carjackers don't care about anyone's rolling code implementation.
I don't think Flipper Zero is anything to worry about, most abuse is probably just going to be edgy kids who are doing annoying things, unsyncing their friend's car keys, etc. But I disagree with the general sentiment that any proliferation of tools that escalates the need for security is always a good thing. Generally, increasing the opportunity and ease of crime is a bad thing.
While I get and appreciate your point, I still disagree. If a vulnerability is patched, it doesn't matter if there are 1 or 1,000 tools targeting it. In the case of small, RF-configurable systems, there are already enough in the wild to get the attention of bad actors. I was in a conference where someone discussed exploratory attacks they'd found where an attacker would target an embedded medical device, compromise it, then have the device emulate a Bluetooth keyboard to target the victim's work computer.
I genuinely believe that the makers have such devices have coasted way too long on security through obscurity. These weaknesses need to be highlighted so that there's political pressure to fix them. If someone users a Flipper Zero or the like to attack a cochlear implant, they should be punished for it. So should the manufacturer of the implant who released an insecure medical device into the wild. If the Flipper's popularity is what draws attention to the broken medical device, then good for Flipper! Maybe they'll patch the problem before North Korea can use it to launch cyberattacks.
I think that's a naively academic and cryptographically focused view of security.
Bad actors are not a monolith. There are many different types of attackers with different means and motivations who will take different actions against different targets and different types of technologies. Threat profiling is a thing for a reason, and it absolutely does matter whether or not a particular threat has the means and/or motivation to exploit a vulnerability. It is the only thing that does matter, outside of a technical academic context.
Yes, security through obscurity is not an rigorous approach to implementing a cryptography system, but it is a completely valid approach in other security disciplines outside of cryptography or digital security. Too many people make the mistake of incorrectly assuming that cryptography security principles apply to the broader practice of security as a whole. Digital security is only as useful as it is to support a holistic model of security. Digital security in isolation is just an academic exercise. It has to be implemented to be useful, and when implemented, operational security and threat modeling are very relevant.
> If a vulnerability is patched, it doesn't matter if there are 1 or 1,000 tools targeting it.
It does matter what the real-world observed rate of patch compliance is, the cost to patch, and whether or not those tools will be used nefariously. If you have an academically obscure remote exploit for a pacemaker, that requires a hardware patch, please don't write a script that makes it easy for non technical people to exploit, and post it on GitHub. While this will certainly encourage a fix to future pacemakers, the cost may not be worth it.
Manufacturers can do better but aren't these users committing felonies? Why aren't we focusing on that? Also- maybe we don't want to deal with all the extra BS that secure RF requires.
This is the common excuse for adversarial hacking, and while it has some basis in fact it's also a justification for the endless security arms race and downward spiral into zero-trust. As the man said “Your scientists were so preoccupied with whether they could, they didn't stop to think if they should.”
Seems like the focus should be on who is allowing and enabling this type of usage. Manufacturers, since they do not act of their own free will, need to be compelled to actually release secure software.
If anything, I love that the Flipper Zero is revealing how vulnerable a lot of this technology is. It hasn't been this easy before to execute radio hacks while mobile, nor in such a game-like/product format. Consequently, I think many people have not realized how secure their devices actually are.
It seems that people are finally becoming aware of how unsafe many of these products are. Unfortunately, they are mistakenly focusing the blame on the wrong party.
Fixing the security holes also protects everything against truly "evil malicious" actors, not just "fun malicious" actors, so it has its benefits to force manufacturers to up their game.