Canada's Planned Flipper Zero Crackdown Provokes Backlash
A Rash of Canadian Car Thefts Won't Be Solved by Banning Pen-Testing ToolsA Canadian effort fueled by a surge of car thefts to ban pen-testing devices that grab wireless signals has provoked a backlash among security researchers and advocates, who accused Ottawa of seeking a scapegoat for bad auto industry security practices.
See Also: Real-World Strategies for Securing Remote Workforces and Data
Canadian officials vowed during a Feb. 8 "national summit" on combating auto theft to ban importation of software-defined radio devices that intercept and replay wireless signals such as those made by car key fobs.
The government estimated that thieves nab a car every six minutes, on average.
"Criminals have been using sophisticated tools to steal cars. And Canadians are rightfully worried," tweeted François-Philippe Champagne, minister of innovation, science and industry.
Officials singled out one such device: the Flipper Zero, a $169 hand-held system that can clone short-range signals from keyless entry systems. There's just one problem: "Flipper Zero can't be used to hijack any car, specifically the ones produced after the 1990s," said Alex Kulagin, chief operations officer of Flipper Devices, in an emailed statement.
Canadian officials may have fixated on the Flipper Zero because the device had a viral moment on TikTok where users supposedly demonstrated using it to spoof payment cards and steal cars. Security experts say the videos are staged. In response to a request for comment, a Canadian government spokesperson reiterated that "Canada is pursuing all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry."
Specifically for the Flipper Zero, the problem comes down to the fact that it can't simultaneously process separate radio frequencies, said Ivan Reedman, director of secure engineering at IOActive. Car key fobs receive very low frequency signals from autos and transmit ultra high-frequency responses. For most modern cars, a would-be thief wielding a Flipper Zero would additionally come up against the problem of transmitting the decryption key - and brute-forcing a key is beyond Flipper Zero's computing power.
Other devices on the market, such as the LimeSDR and Ettus Research B Series, don't have Flipper Zero's limitations on signal processing, and even a Flipper Zero kitted out with extra equipment might be used to unlock a car but not to start it, Reedman said. Such a "buffered relay attack" would be complex, since most carmakers for decades have rotated entry codes to prevent a device from simply intercepting a key fob signal and replaying it back to the car.
To unlock a car with a pen-testing device, the attacker would have to goad a car owner into sending two unlock signals. The attacker would have to jam one signal and capture the other. With the car unlocked, an attacker could help themselves to whatever the owner left in the car. Or they could achieve the same thing by breaking a window, Reedman said.
Far easier than trying to use a software-defined radio to circumvent keyless security is using a transmitter to perform a "relay attack" in which attackers amplify the "wake up" signal sent by cars to capture the key fob response signal - including the decryption key. A pair of car thieves perform a relay attack by having one hold up a relay transmitter nearby a residence to trigger a response from a key fob inside the home while the other holds a receiver next to the car.
"To attack with the Flipper Zero is substantially more complex than simply relaying the signal to the keyfob," said Reedman. He also said relay attack devices are readily available or can be easily assembled.
"It's already pretty easy to do," he said about stealing cars. No Flipper Zero or its equivalent is needed.
"We'd appreciate it if you could provide any evidence of Flipper Zero being involved in any criminal activities of this kind. We're not aware of any events like this and frankly speaking not sure what was the reason for this discussion to begin with," Flipper Zero tweeted.
Civil society group the Electronic Frontier Foundation piled on with criticism, calling banning Flipper Zero devices "tantamount to banning a multi-tool because it can be used for vandalism."
Reedman urged auto manufacturers to boost keyless entry security, such as by using ultra wideband radio transmission to triangulate the location of a key fob relative to the car, to head off relay attacks. Manufacturers could incorporate an accelerometer into a fob so that its owner must be in movement while unlocking a door, he said. Of course, hackers could spoof an accelerometer signal. Security is a never-ending race, not an endpoint, Reedman said. Or they might simply let owners turn off keyless entry, he added.
Banning pen-testing devices such as the Flipper Zero is ultimately self-defeating, Reedman and others said. Probing the limits of wireless security is what leads to improvements, he said.
"You're not actually fixing the problem. You're simply stopping the researchers from showing how easy it is."