Canadian government banning Flipper Zero to combat auto theft

See also (from threads we&#x27;ve merged hither):<p><a href="https:&#x2F;&#x2F;arstechnica.com&#x2F;security&#x2F;2024&#x2F;02&#x2F;canada-vows-to-ban-flipper-zero-device-in-crackdown-on-car-theft&#x2F;" rel="nofollow">https:&#x2F;&#x2F;arstechnica.com&#x2F;security&#x2F;2024&#x2F;02&#x2F;canada-vows-to-ban-...</a><p><a href="https:&#x2F;&#x2F;www.bleepingcomputer.com&#x2F;news&#x2F;security&#x2F;canada-to-ban-the-flipper-zero-to-stop-surge-in-car-thefts&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.bleepingcomputer.com&#x2F;news&#x2F;security&#x2F;canada-to-ban...</a>

The Flipper Zero is a general-purpose tool and STEM educational device. By banning the device, a country would be setting back their workforce of engineers and scientists a bit.<p>How can you use a Flipper Zero to steal a car? Flipper Zero can&#x27;t crack hard encryption.<p>Is the real problem that cars were made with security that they already knew was negligently weak at the time? If so, is a recall of those cars more appropriate?

This is typical. All this stuff about people knowing where their cars are and the police, CBSA etc not doing anything about it*, the complicity of all the port and shipping people, but the government pretends banning some electronics will change something. I don&#x27;t know what people expected from a &quot;summit&quot; or whatever they did, there are lots of clear steps we could take, but instead we get this.<p>*see <a href="https:&#x2F;&#x2F;www.cbc.ca&#x2F;news&#x2F;canada&#x2F;toronto-man-finds-stolen-truck-in-uae-1.7083615" rel="nofollow">https:&#x2F;&#x2F;www.cbc.ca&#x2F;news&#x2F;canada&#x2F;toronto-man-finds-stolen-truc...</a>

In the grand scheme, these are remarkably unsophisticated devices. It&#x27;s almost a meme in RF circles to excitedly buy one and then immediately realize it&#x27;s just a Girl Tech IM-me with NFC.<p>If you want to do real damage there are portable SDRs that can jam GPS and transmit just about any arbitrary radio signal from DC to 6GHz for less than $500. This is a mildly powerful toy that has a large, intelligent and curious community around it.<p>The reality is RF stuff is wildly under-explored right now outside of military spaces. On the consumer side I&#x27;d guess we&#x27;re somewhere around the early 2000s internet in terms of security posture. It&#x27;s probably best to consider the flipper community to be a gift of minimally destructive pentesters relative to what they could be if someone wanted to actually dish out real electronic warfare.

Canada has totally lost its way. Housing is a massive issue. Healthcare is under constant attack. Immigration is used to prop up a failing economy. We don’t really make anything. Wages are lower than the US just because. There’s no negotiating power. The dollar is weak. We can’t extract most of the available resources because of the weather and environmental concerns. The praries are being sold off to foreign investors. The smartest and most educated leave. Starting to feel like a fool for sticking around.

Never cared much about the Flipper Zero personally, but now that governments are banning them I guess it&#x27;s time to buy one. Great unintentional marketing campaign, Canada!

This feels like a loud solution to assuage the outrage of the month.<p>None of the articles on this are actually showing the numbers. <a href="https:&#x2F;&#x2F;www150.statcan.gc.ca&#x2F;n1&#x2F;daily-quotidien&#x2F;230727&#x2F;cg-b004-eng.htm" rel="nofollow">https:&#x2F;&#x2F;www150.statcan.gc.ca&#x2F;n1&#x2F;daily-quotidien&#x2F;230727&#x2F;cg-b0...</a><p>Car thefts have increased by a significant amount outside of their normal fluctuations, but they are still much much lower than they were before 2010. To call it a crisis is hyperbole. Canada&#x27;s car thefts are the approximately the same rates as the US.<p>Flipper zero is a casualty of poor security practices, and the insurance companies need to be going after the car manufacturers for making it so easy. I would even say if it&#x27;s so easy to bypass, then buttonless start should never have even been legal.<p>You can ban the flipper zero, but it does not seem that difficult to get them into the country nor does it seem difficult for criminals to make their own.

Canadian government once again proving it is stupid. These are the same groups that had moral panics and tried to ban video games and rock and roll without any actual information.<p>Just root a phone and you have a far more powerful hacking platform.

Relevant part:<p>&gt; Innovation, Science and Economic Development Canada (ISED) Innovation, Science and Economic Development Canada will work with Canadian companies, and the automotive industry, to develop new solutions to protect vehicles against theft and to assist with recovery of stolen vehicles.<p>&gt; ISED will pursue all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero, which would allow for the removal of those devices from the Canadian marketplace through collaboration with law enforcement agencies.<p>The actual solution would be to force auto makers to have better security that can&#x27;t be cracked by script kiddies. Banning a tool like the F0 is like banning hairpins or paperclips because they can be used to pick locks. Their primary &quot;purpose&quot; isn&#x27;t that at all. What would be okay is to ban the <i>use</i> of an F0 to steal a car. Not ownership of an F0, or a screwdriver.

Like every other wide-spanning law the Canadian Government has passed lately (including the one on firearms and the soon-to-pass adult-content on the internet), I imagine they will ban swathes of legal products that use RF and do nothing to actually prevent crimes from occurring.<p>Thanks to our Parliament!

This is so misguided. If I can in any way steal a car with a Flipper Zero (regardless of firmware), that car should be recalled and fixed by the manufacturer.

This just means that only criminals will use Flipper Zero. And they were already stealing cars. I don’t think they will mind one additional illegal activity.<p>But how many previously law abiding citizens will be hurt by not having this technology, or becoming criminals now?

So after this law, the honest people cannot have Flipper Zeros, and the criminals will simply continue breaking the law and acquire one.

It not banned yet: might be worth to send comments to Jean-Sebastien.Comeau@iga-aig.gc.ca the email address on that page.<p>&gt; Office of the Honourable Dominic LeBlanc Minister of Public Safety, Democratic Institutions and Intergovernmental Affairs

It appears that Flipper Zero is virtually useless in almost all car thefts and is just being unfairly targeted by Trudeau. Also, the company didn&#x27;t even get a heads up about being falsely blamed:<p>&gt; Alex Kulagin, COO of Flipper Devices, said in an interview that his company received no communication from the Canadian government ahead of Thursday’s statements.

Ah, the irony... in the 90&#x27;s you had to get your RF scanner FROM Canada or it would have analog cellular frequencies blocked!

So if I&#x27;m reading this right, they&#x27;re banning something that is too underpowered to run the exploits people are using to steal cars (which are only possible in the first place because car companies&#x27; threat model is mostly about their customers rather than thieves) in order to pretend to do something about car theft<p>I&#x27;ve been pretty happy on balance with measures introduced through direct democracy in recent years (mostly happens at the municipal and state levels in the US), and it seems like most people are unhappy with measures introduced by the normal &quot;democratic&quot; means of governance in rich nations, where we elect people, who then make laws<p>Maybe we should do more of the former and less of the latter

So if they ban the Flipper Zero are they going to ban the multitude of SDRs as well?

The issue isn&#x27;t devices like the Flipper Zero as much as the weak standards of security (and perceived obscurity) being used to not use actual security to secure cars.<p>Auto manufacturers could .. create more secure devices for cars. Of course existing vehicles are a different problem. That was avoidable to some degree.

This is the equivalent of banning the import of balaclavas to stop robberies.

So all those people with FZs I met at Bsides were car thieves.<p>Just how many thefts are linked to its use.<p>Criminals will be add FZs to their gun and drug shipments to Canada

What&#x27;s the legal instrument they intend to use? Or are they planning to pass a new law? The way this is worded seems to suggest its already in the authority of ISED to ban these, if so, does anyone know what law would give them that right?

If your car key can be copied using a simple replay attack, it is not a key.

Is it even possible to use a flipper zero to steal a car? I thought modern cars have rotating keys which would prevent a replay attack unless you had access to the fob long enough to figure out the seed in which case you may as well just use the key to open the car.<p>They steal cars by either breaking a window or by getting to the CAN bus through the bumper and hijacking the car by programming a new key using the car&#x27;s VIN. Ban Toyota and Honda from selling cars with shitty security if you want to do anything about this problem without having to ask the police to be useful.

Has anyone else described how a Flipper Zero can be used to aid in car theft? My understanding is since the 1990s car have used rolling codes for keyless entry, making it improbable for a Flipper to replay captured signals to unlock vehicles¹. But <i>surely</i> Canada has at least a modicum of evidence that thieves are using Flippers?<p>¹ Caveat: Some cars will accept rolling code signals with a counter only 1-3 values off. So a Flipper recorded unlock message could be replayed successfully if the owner hasn&#x27;t used their fob again. Plus, replaying codes can desynchronize the car&#x27;s system from the fob, leading to non-functional keyfobs. You can find online reports where Flipper users did this to themselves: <a href="https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;flipperzero&#x2F;comments&#x2F;yxgn60&#x2F;flipperzero_bricked_my_car_keyfob&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;flipperzero&#x2F;comments&#x2F;yxgn60&#x2F;flipper...</a><p>edit: A deeper dive makes me think a the Flipper <i>could</i> help with some attacks. On some cars recording multiple successive unlocks and replaying them in order will make the car resynchronize its counter to the messages on your Flipper and the next one will unlock the car. It seems this attack relies on the first signal being jammed, but you could do that with two Flippers. One next to the car jamming, and a 2nd closer to the keyfob recording. Lots of info here: <a href="https:&#x2F;&#x2F;i.blackhat.com&#x2F;USA-22&#x2F;Thursday&#x2F;US-22-Csikor-RollBack-A-New-Time-Agnostic-Replay-Attack.pdf" rel="nofollow">https:&#x2F;&#x2F;i.blackhat.com&#x2F;USA-22&#x2F;Thursday&#x2F;US-22-Csikor-RollBack...</a>

A CBC article (edited since then) also mentioned the Raspberry Pi. Hopefully it&#x27;s just bad journalism.

If anyone has a business impacted by this, I would absolutely love to talk to you. je@h4x.club - I&#x27;m quite sure I can help (not looking for $$, just think this is insane).

Every day this incompetent government gets more ridiculous than I ever thought imaginable.

Hah. I knew this would happen. The Flipper is basically marketed as a hacking tool.

Wait, so I can use my Flipper as a backup key for my car (mid 2010s Mazda)?<p>I thought the rolling code thing prevented this. If anyone has a doc on how to use the Flipper for a car, please send it! I promise it&#x27;s for legit use. I bought it originally to dupe the NFC key fob for my apartment and the RF fob for the garage door.

A guy tracked his stolen truck to CP railyard. Police was sitting outside the railcar that had his truck inside. Police could do nothing because the railyard is outside their jurisdiction. Train left, he watched on the tracker as his truck was eventually shipped to Dubai.<p>So.. I think CP rail is maybe a co-conspirator here? They have immunity from local law enforcement, and don&#x27;t seem to require any title checks to move vehicles across border.<p><a href="https:&#x2F;&#x2F;www.cbc.ca&#x2F;player&#x2F;play&#x2F;2306728515530" rel="nofollow">https:&#x2F;&#x2F;www.cbc.ca&#x2F;player&#x2F;play&#x2F;2306728515530</a>

Considering that the Flipper Zero is just open source hardware that anyone can make at home using common off-the-shelf components, I do not see how this measure does help.<p>If anything, it broadcasts to criminals that they can now steal cars with ease.

I was under the impression that cars and garage doors are essentially 100% immune to replay attacks. How could they possibly be susceptible to something to rudimentary? Or am I not understanding some context?

It’s already under import ban and I know somebody who got their order seized by customs. It’s a hacking tool and customs flips out about those even if an actual security professional is buying them.

&quot;For example, to copy car keys. It is unacceptable that it is possible to buy tools that help car theft on major online shopping platforms.&quot;<p>should be<p>&quot;For example, to copy car keys. It is unacceptable that it is allowed to build cars without proper security that help car theft.&quot;

Since when did thieves start caring about not using banned devices? Governments everywhere already pass the buck in dealing with car theft and break-ins to insurance companies.

This is like making lock pick sets illegal to carry unless you&#x27;re a licensed locksmith. Didn&#x27;t really stop criminals from getting or using them.

This signals to everyone that the device is effective. Even if it isn&#x27;t, it will create a profitable black market. Governments never learn.

Like others here, ordered this (in Canada, before it&#x27;s too late) because of the Streisand effect. Looks like a neat device.

This is what happens when you let your government run wild.<p>You can&#x27;t carry a pocketknife in the UK, you can&#x27;t carry a Flipper in Canada. Insane. I genuinely hope the US does not become even more of a farce of a democracy like these two.<p>Soon our own fingers will be banned &quot;for our own safety.&quot;

Ban crime!

Ban USB cables next: <a href="https:&#x2F;&#x2F;www.thedrive.com&#x2F;news&#x2F;how-thieves-are-stealing-hyundais-and-kias-with-just-a-usb-cable" rel="nofollow">https:&#x2F;&#x2F;www.thedrive.com&#x2F;news&#x2F;how-thieves-are-stealing-hyund...</a>

It can’t be the policies or the lack of security of manufacturers.<p>It must be this educational low encryption open source device that criminals are using.<p>It’s a witch! Burn the witch!

How far we&#x27;ve come since 1999 <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=bOR38552MJA" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=bOR38552MJA</a>

Like banning handgun sales this lets the government get headlines that they are doing something to stop runaway crime without doing anything but piss off normal people.

The key replay attacks only work on very very certain very very very old vehicles.<p>Seriously the myth that key fobs are sooo insecure, they aren&#x27;t.

Flipper Zero can&#x27;t unlock cars or anything else with even slightly OK security, but it sure can help detect idiot politicians.

Now I really have to buy one. Any time the government tries to ban something I feel like I should buy it.

&gt; such as the Flipper Zero, which would allow for the removal of those devices from the Canadian<p>Tell me how you have no idea about technology without telling me how.. Flipper is pretty much useless against cars keyless system, in fact, just look at any video of the how thieves do it, they never used flipper but far more sophisticated devices (except the kia switch USB trick). That ban is most likely because some boomer at ISED saw some tiktok and thought it should be banned or got mad after having their Tesla plug door opened remotely, meanwhile, you can import all types of sophisticated full-duplex SDR with all types of antennas that are far more powerful and dangerous than that toy.<p>I worked with ISED before, overall nice folks but technicalities not much.

Great job, now Im going to buy a flipper just like how I bought a handgun before new purchases were banned in Canada.

Ever since leaving Canada I’ve come to realize how intellectually stupid Canadian politicians are. The U.S. has Rhodes scholars and Harvard graduates and Canada has kindergarten teachers and used car salespeople. The smartest Canadians know that it’s more lucrative to leave Canada and come to the U.S. so the brain drain leaves Canada at the behest of below average intelligence but highly ambitious and greedy politicians.

I ordered a contraband baofeng handset from the US and it made it thru customs without inspection or seizure

Sounds like &quot;Let&#x27;s ban penetration testing to prevent hackers from hacking any system&quot;

This would be funny if it weren&#x27;t real and truly shameful. Dark days in Canada.

Pure ignorance and trend following. This is literally just a (very) custom build of the Mattel GirlTech IM-ME wireless instant messenger. I&#x27;d say, &quot;Are they going to ban all devices with a TI CC1110?&quot; but they just might try it.

This site is super vague, does anyone know what this means for existing owners?

Why not banning radio signals? They are used for cars theft!

Soon they will ban Hackrf boards and open source code?

Looks like they want to show they are “doing something”

Did they ban USB cables too, because of KIA?

<a href="https:&#x2F;&#x2F;imgflip.com&#x2F;i&#x2F;8f7fjl" rel="nofollow">https:&#x2F;&#x2F;imgflip.com&#x2F;i&#x2F;8f7fjl</a>

Blame flipper instead of blaming weak-ass security protocols, way to go Canada.<p>Next, the root of all evils: screwdrivers, which, if you are smart enough, can be used to open things that are screwed shut!<p>Think of the children!

Canada has become a joke.

Canada got scary pretty fast

In other news, hammers can be used to break windows, coathangers to jimmy doors, and towtrucks to just lift the fuckers right up and drive off with &#x27;em.

Keyfob security is difficult at best, and impossible at worst. In order to provide better security, you will make the keyfob near useless for the customer. But that&#x27;s a problem for manufacturers to sort out, for example, by offering various options to their customers.<p>That said, banning tools? Seriously? Will they now ban hammers, crowbars and hacksaws, because they can be used for breaking and entering?

Joke?

Isn&#x27;t auto theft already illegal?

so instead of banning insecure cars, we ban the tools to break into them.<p>::slow clap:: The brilliance of the Canadian government on display here.

when did the Canadian gov become so dumb.

In theory, a representative democracy keeps checks and balances by the people still routinely communicating with each other as if it were a direct democracy and if the representatives are not acting in accordance with the direct findings, then it&#x27;s off with their heads.<p>But in practice that&#x27;s a lot of work. The reality is that most people don&#x27;t want to be involved and are happy to have some figurehead do the work for them, even if that means complaining about it later.

Banning a Flipper Zero for Car Thefts is like banning a BB Gun for Firearm Deaths.... You&#x27;re targeting the wrong device lol.<p>edit: Further perspective: You need something that can perform a relay attack. You need someone with a powerful enough antenna to find the remote inside someone&#x27;s home and relay it to a person near the car. This involves at least 2x CC1101&#x27;s<p>&gt; As you can see, small embedded antennas are very inefficient, however convenient. In all cases here, the antenna radiated less than 1% of the available RF power. Using a full sized high efficiency antenna has the potential to increase TRP by at least 20 dB, which is 100 times more power or about a 10x increase in communications range.<p><a href="https:&#x2F;&#x2F;antennatestlab.com&#x2F;antenna-education-tutorials&#x2F;consumer_antenans&#x2F;flipper-zero-antenna-patterns" rel="nofollow">https:&#x2F;&#x2F;antennatestlab.com&#x2F;antenna-education-tutorials&#x2F;consu...</a><p>This is the type of device still available, far more useful and powerful than a banned FZ: <a href="https:&#x2F;&#x2F;www.analog.com&#x2F;en&#x2F;resources&#x2F;evaluation-hardware-and-software&#x2F;evaluation-boards-kits&#x2F;adalm-pluto.html" rel="nofollow">https:&#x2F;&#x2F;www.analog.com&#x2F;en&#x2F;resources&#x2F;evaluation-hardware-and-...</a>