https://arstechnica.com/security/2024/02/canada-vows-to-ban-...
https://www.bleepingcomputer.com/news/security/canada-to-ban...
How can you use a Flipper Zero to steal a car? Flipper Zero can't crack hard encryption.
Is the real problem that cars were made with security that they already knew was negligently weak at the time? If so, is a recall of those cars more appropriate?
Here's my template:
I am a Canadian citizen in your riding (A1B 2C3) and multiple business owner in the technology sector.
As an expert in the field of electronics and information security, I am concerned about the ISED’s initiative to ban Flipper Zero and similar devices, announced at: https://www.canada.ca/en/public-safety-canada/news/2024/02/f...
The Flipper Zero is a general-purpose tool for engineering and information security research. By banning the device, we will be doing a disservice to our country’s practitioners in these fields, while doing little to thwart car thefts.
If possession of a device like Flipper Zero is the enabler for car theft, then it leads me to believe that such cars had negligently insecure encryption from the day they were manufactured, and a recall of such cars would be more appropriate.
If different people want to mix up approaches, and hit various notes, to see what resonates, a couple thoughts (as a tech nerd, not a political communicator):
* "Information security research" has different connotations for different people. No matter how professionally you conduct yourself and respect the term, and no matter how much you promote the term positively as professional... if a particular reader considers the term to be a euphemism for behavior they think should be curtailed, and they think that's the only use of FZ, that might hurt your effort. (Unless you can find a way to promote both at the same time, to those readers, without compromising on either more than you want to.)
* All the hobbyist experimenting and building things, by kids and adults alike, I consider constructionist "education", which is valued. And I suspect it doesn't hurt to say "STEM", as a keyword for the kinds of jobs and economic development this leads to. (Imagine kids figuring out how modern devices work, which today requires more than just unscrewing an appliance and finding the motor and gears. Or getting interested in the RF that backs much of our global technology infrastructure, and inspired to pursue engineering or science. Or using that knowledge to build things that help get them into universities, or that become a tech startup company.)
While accurate, the standard may not be as rigorous as you'd like to imagine; there was a time not long ago when a wire coat hanger was enough to unlock a car.
A lot of vehicles - my wife’s 2015 Kia included - have a very flawed implementation of rolling key encryption. Basically, you need to capture three consecutive keys. The receiver is programmed to allow any future key (in case the fob was pressed away from the car), and will happily reset to past keys when you send three consecutive keys in sequence.
Ostensibly this is to avoid people’s fobs from becoming “unpaired” somehow if the car receives a future key. You just hit the button a few times and it works. In practice, it’s trivially easy to exploit.
It's the same approach they used for their recent (last 5 years) firearm bans. Whether or not I agree with what they're trying to accomplish with the bans, the ability to arbitrarily ban specific items without meaningful oversight isn't great for democracy.
Because honestly there are lots of ways of gaining access to the inside of a vehicle, and if it can’t enroll a new key it’s neither necessary nor sufficient for stealing a vehicle.
It’s impossible, you can’t even use it against garage doors rolling keys without accessing the garage unit and program it like a new remote. The ban has nothing to do with car theft.
Someone on the plane I was on kept triggering it to do bluetooth attacks ('not your airpods') while I was trying to read (and have my earphones on connected via bluetooth so fuck me right?).
There's hacked firmware's you can install [0]. I understand that there are probably tons of other devices like this out there but this one was SO fucking popular and easily accessible.
I've already seen this thing abused and used in a super obnoxious way. Frankly I think you should be arrested for having it on in the passenger cabin of an airplane.
Probably best not to have the tool in carry-on, even powered-off, and I'd understand if TSA didn't permit that (like they wouldn't let a chef carry-on their knives, another tool with very legitimate purposes).
It's a dick move but banning the hardware doesn't do anything because you can port such simple hacks to any platform. It's the action that should be policed.
I am not excusing the behavior, but I also don't see arrest as an appropriate remedy.
Sounds like running this is illegal and github hosting it, too
You're pulling a "Think of the children" here. Rest of your comment is fine, but this first statement doesn't hold water. Any incredibly small number of engineers and scientists would ever use this device. A Raspberry PI, Ardiuno, or other general purpose micro controllers and small form computing devices sure, I could believe that. But some niche device, no.
Edit: I wasn't aware of the popularity of the device, as suggested by comment below, when I wrote this
FWIW, I "funded" the Kickstarter for Flipper Zero because my startup was doing something a little innovative with various kinds of RF tags, to help solve a significant societal problem. (Which, besides what we could've contributed to a country in monetary value of our company, the application domain had significant implications for national economies, as well as for public safety. All things that lawmakers care about, in addition to reducing auto thefts.) We had Android diagnostic software, plus bespoke iOS apps with NFC that I wrote, but a Flipper Zero would've helped me work better and faster at some things.
> Any(sic) incredibly small number of engineers and scientists would ever use this device.
I personally know over a dozen people who own them and have tinkered with them in various ways. I managed to "break" my air conditioner unit (permanently setting it to C, not that bad of a "break") with one. Definitely less popular than a Pi or Arduino, but growing in popularity very fast.
I couldn't possibly comment on the practical consequences to STEM of banning it. I wouldn't make that argument. But it's silly to claim that it's a "think of the children" argument and nothing more.
*see https://www.cbc.ca/news/canada/toronto-man-finds-stolen-truc...
See also:
- banning various types of (previously) legal firearms vs cracking down on illicit handguns being smuggled in over the border from the US
- banning purchase of property by foreign owners vs addressing supply
- banning single use plastics vs buying a goddamn oil pipeline for billions of dollars rather than cutting oil extraction subsidies
etc. etc.
If you want to do real damage there are portable SDRs that can jam GPS and transmit just about any arbitrary radio signal from DC to 6GHz for less than $500. This is a mildly powerful toy that has a large, intelligent and curious community around it.
The reality is RF stuff is wildly under-explored right now outside of military spaces. On the consumer side I'd guess we're somewhere around the early 2000s internet in terms of security posture. It's probably best to consider the flipper community to be a gift of minimally destructive pentesters relative to what they could be if someone wanted to actually dish out real electronic warfare.
You can't import / use devices that have jamming capabilities.
The Xtreme firmware appeared to be one of the easy ways to get the 'BLE Spam' app which could crash the latest iOS devices until Apple patched it in December.
And that story really echoes the parent's point about Flipper users being a 'gift of minimally destructive pentesters' (love that quote). The Flipper community effectively notified/pressured Apple into fixing an issue that might have been used more nefariously. (Some really malicious folks could have used the ability to crash iOS devices to DoS/shutdown peoples phones at some critical moment as part of a scheme or theft)
However, what we do have is a pretty welcoming, friendly, and adventurous population that's a great basis for building a home, even if that doesn't mean having a house. If you have no sentimental attachments, no social life, no outdoor hobbies, no family, no job, and no prospects for a job, all of those together are perfectly legitimate reasons for getting the hell out and seeking prosperity where it might actually be found.
For me, I haven't had a job for almost a year, nobody's hiring, nobody will be hiring, rent is increasing, I'll almost certainly never own a home or be able to retire, and I don't think having kids would be feasible if I was set on it; all together, a miserable situation to be in. But... I do have friends, I have places to spend my time, I don't need to worry about medical expenses, I have a roof (for now), and I'm in better shape than many people in their early thirties. I like the vibe, and don't think I'd have better opportunities in those respects anywhere else.
That said, I did already move for work once, and picked the most appealing place imo, so anywhere else would have to pass a very high bar in order to compete. I'm also relatively more outgoing and open than people who claim to want strong social lives, and am willing to put in the groundwork. If you're a lonely, socially anxious or inept person, or a sweaty careerist tryhard who doesn't take time away from work anyway, being here vs anywhere else probably won't be such a significant difference except a better account balance.
Edit: I'd qualify my characterization of being welcoming, open, and adventurous, with the possible exception of smaller towns and cities where quite the opposite can be true. No so much because they don't like newcomers or because they're bigoted, but many people in those places—even if they're relatively cosmopolitan—haven't bothered to look beyond their high school friends for connection, even well into adulthood, and I've heard that can be quite difficult to break into. But I also don't think it's unique to Canada and it's a worthwhile experience to get the hell out of your hometown no matter where you're from by your mid-twenties I think, if even for a few years.
Im sorry but this is one of the saddest things I've ever read. As a Canadian of this was my experience of Canada I would be doing everything I could to get out. Thankfully it isn't yet, but things definitely are not looking good and I am worried about the future
That said, this is the most popular one, I'm sure there's clones out there already that fly under the radar.
None of the articles on this are actually showing the numbers. https://www150.statcan.gc.ca/n1/daily-quotidien/230727/cg-b0...
Car thefts have increased by a significant amount outside of their normal fluctuations, but they are still much much lower than they were before 2010. To call it a crisis is hyperbole. Canada's car thefts are the approximately the same rates as the US.
Flipper zero is a casualty of poor security practices, and the insurance companies need to be going after the car manufacturers for making it so easy. I would even say if it's so easy to bypass, then buttonless start should never have even been legal.
You can ban the flipper zero, but it does not seem that difficult to get them into the country nor does it seem difficult for criminals to make their own.
Without a police report your insurance won’t pay for a new car.
Just root a phone and you have a far more powerful hacking platform.
Thanks to our Parliament!
But how many previously law abiding citizens will be hurt by not having this technology, or becoming criminals now?
> Office of the Honourable Dominic LeBlanc Minister of Public Safety, Democratic Institutions and Intergovernmental Affairs
mailer-daemon@googlemail.com
An error occurred. Your message was not sent.
A better contact is Dominic LeBlanc, and your local MP.
Emails seem to work fine if they already know you.
> Alex Kulagin, COO of Flipper Devices, said in an interview that his company received no communication from the Canadian government ahead of Thursday’s statements.
I've been pretty happy on balance with measures introduced through direct democracy in recent years (mostly happens at the municipal and state levels in the US), and it seems like most people are unhappy with measures introduced by the normal "democratic" means of governance in rich nations, where we elect people, who then make laws
Maybe we should do more of the former and less of the latter
This is not to say that the alternative is immune to these problems, but as a former long time california resident direct democracy was directly responsible for many of the state's problems, i.e. prop 13.
In many cases any special interest or sufficiently motivated rich person can also just keep putting their pet issue on the ballot over and over until it passes.
Sufficiently motivated and rich people are also motivated to repeatedly put their pet issues to our political representatives (sometimes alongside big political contributions).
Seems like a case of pick your poison (and antidotes).
Direct democracy means a lot around here, like not having a single party long term in some control positions who could block or manipulate bills. Voting on topics instead of politians is only a small aspect of this all working.
Two wolves and a sheep deciding what to have for dinner.
https://en.wikipedia.org/wiki/1978_California_Proposition_13 (massively screwed up the housing market in California, not feasible to reverse it now)
https://en.wikipedia.org/wiki/2008_California_Proposition_8 (defined marriage in the state constitution as between a man and a woman, still on the books but invalidated in court... for now)
That basically summaries the Canadian government's history, and how we end up in multiple crisis and negative gdp per capita situation now.
I think the real problem is that the system is rigged.
Your vote only matters if youre in a non-gerrymandered swing state.
Even if your vote did matter you have to choose from a a small amount of candidates selected and vetted by the RNC and DNC.
So its less an issue with representation democracy and more an issue with how rigged and pointless the system has become in my opinion.
Text uses the flipper zero as an example, not as the specific target of the ban.
Similar to how moving ssh to a non-standard port stops most attacks.
Auto manufacturers could .. create more secure devices for cars. Of course existing vehicles are a different problem. That was avoidable to some degree.
Just how many thefts are linked to its use.
Criminals will be add FZs to their gun and drug shipments to Canada
ISED is responsible for the radiocommunication act. Section 6(1) seems to give pretty broad powers to regulate different radio devices. https://laws-lois.justice.gc.ca/eng/acts/r-2/page-2.html perhaps its broad enough to allow banning such devices.
But, also, there's a reason cars have been using microchipped keys for the last 25+ years.
There are ways to transmit information securely that prevent replay and other attacks. (See: Wi-Fi, Bluetooth, TLS, etc.) If car manufacturers weren't lazy and cheap, they could solve this problem, but they don't really care. They get money when you buy the car, then if you're car gets stolen, they get more money when you buy a replacement. Not solving the issue is in their favor.
They steal cars by either breaking a window or by getting to the CAN bus through the bumper and hijacking the car by programming a new key using the car's VIN. Ban Toyota and Honda from selling cars with shitty security if you want to do anything about this problem without having to ask the police to be useful.
¹ Caveat: Some cars will accept rolling code signals with a counter only 1-3 values off. So a Flipper recorded unlock message could be replayed successfully if the owner hasn't used their fob again. Plus, replaying codes can desynchronize the car's system from the fob, leading to non-functional keyfobs. You can find online reports where Flipper users did this to themselves: https://www.reddit.com/r/flipperzero/comments/yxgn60/flipper...
edit: A deeper dive makes me think a the Flipper could help with some attacks. On some cars recording multiple successive unlocks and replaying them in order will make the car resynchronize its counter to the messages on your Flipper and the next one will unlock the car. It seems this attack relies on the first signal being jammed, but you could do that with two Flippers. One next to the car jamming, and a 2nd closer to the keyfob recording. Lots of info here: https://i.blackhat.com/USA-22/Thursday/US-22-Csikor-RollBack...
I thought the rolling code thing prevented this. If anyone has a doc on how to use the Flipper for a car, please send it! I promise it's for legit use. I bought it originally to dupe the NFC key fob for my apartment and the RF fob for the garage door.
So.. I think CP rail is maybe a co-conspirator here? They have immunity from local law enforcement, and don't seem to require any title checks to move vehicles across border.
The problem here is probably the criminal lied about what was in the cargo container, and to process the tens of thousands of titles to ship new vehicles to manufacturers is obscene - and even then, criminals will still find ways to transport cars in shipping containers.
At the end of the day, it’s up to the ports (which again are a federal agency) to scrutinize cargo containers destined for these locations - which they don’t have the staffing or funds to do.
And now they'll be stretched further inspecting incoming shipments for flipper zeros.
> to process the tens of thousands of titles to ship new vehicles to manufacturers is obscene - and even then, criminals will still find ways to transport cars in shipping containers.
What whining is this about? Are you suggesting that we just let the thefts continue at scale using rail because 'paper work hard'? Are you serious?
If anything, it broadcasts to criminals that they can now steal cars with ease.
In practice, you could start a Hyundai with an USB key, because the manufacturer did not bother to implement any security measures (it's cheaper that way).
should be
"For example, to copy car keys. It is unacceptable that it is allowed to build cars without proper security that help car theft."
You can't carry a pocketknife in the UK, you can't carry a Flipper in Canada. Insane. I genuinely hope the US does not become even more of a farce of a democracy like these two.
Soon our own fingers will be banned "for our own safety."
UK knife law allows you to carry non-locking pocket knives with a blade length up to 3 inches (7.62 cm) without any need for a valid reason.
If you've got a job related need to carry a mofo knife (cane cutting with a machete) there's no drama.
Yes, it's regulated - but it's not what you claim it to be.
Next you'll be claiming there's no guns in Australia.
"Gravity knives" are banned too. Why? They are simply easier to open. As easy to open as flipper knives, which are legal. And you don't even have to open fixed blades - also legal.
Butterfly knives are harmless. It is literally easier to kill someone with a legal knife than a butterfly knife, because with a butterfly knife you're forced into a ridiculous opening animation. But it looks spooky, so banned. Pathetic.
You can't even own some of these items in your own house. Imagine not being able to buy a decorative shuriken or whatever. How many people have been killed to shurikens, again? But if you put one on your wall it's 4 years in prison.
More importantly, what criminals will even care to follow this law? Do you really think a criminal interested in stabbing another person will go "geez, well, I guess the law says I can't use this 3.5 inch locking knife!" Fuck no, worst case they'll grab a kitchen knife and get stabbin'.
Stop trying to justify this ridiculousness. The UK is a surveillance state clown show where things are banned for fun. More cameras per capita than China and you can't own a decent box cutter because some politician is trying to justify their worthless existence.
[1]: https://www.victorinox.com/us/en/Products/Swiss-Army-Knives/...
Imagine being sent to prison for 4 years and having your life literally ruined because you used this at a picnic. lol.
We’ve made plenty of dumb decisions as a country but I’d say trying to keep knives off the streets is not one of them.
It must be this educational low encryption open source device that criminals are using.
It’s a witch! Burn the witch!
Seriously the myth that key fobs are sooo insecure, they aren't.
Tell me how you have no idea about technology without telling me how.. Flipper is pretty much useless against cars keyless system, in fact, just look at any video of the how thieves do it, they never used flipper but far more sophisticated devices (except the kia switch USB trick). That ban is most likely because some boomer at ISED saw some tiktok and thought it should be banned or got mad after having their Tesla plug door opened remotely, meanwhile, you can import all types of sophisticated full-duplex SDR with all types of antennas that are far more powerful and dangerous than that toy.
I worked with ISED before, overall nice folks but technicalities not much.
Then she started her political career.
Next, the root of all evils: screwdrivers, which, if you are smart enough, can be used to open things that are screwed shut!
Think of the children!
That said, banning tools? Seriously? Will they now ban hammers, crowbars and hacksaws, because they can be used for breaking and entering?
::slow clap:: The brilliance of the Canadian government on display here.
But in practice that's a lot of work. The reality is that most people don't want to be involved and are happy to have some figurehead do the work for them, even if that means complaining about it later.
Yes, of course. Those with wealth hire people, often referred to as lobbyists, to put in the hard work. Technically, representative democracy requires everyone to be, or have, their own lobbyist, but in practice that's a lot of work that most people don't want to put in. They prefer to defer to a figurehead. It's easier that way. And, as such, give up power because of it.
Disclaimer: The following might make you feel hopeless - I apologize for that in advance. I guess I’m a little in shock right now by the latest Sam Altman news about him looking to pour trillions into driving people out of jobs and possibly jeopardizing humanity. This is indeed like Oppenheimer all over again. I can see it now. Or maybe I need a fresh perspective. Comments are welcome. /Disclaimer
Yes people don’t want to get involved. Yes they are stretched thin. Corporate America puts such onerous demands on them that apathy becomes rampant.
It only furthers the agendas of powerful figureheads. Their self-actualization goals influence how the society is governed (top-tier in Maslov’s hierarchy).
Individual needs of the people - the worker bees - suffer as a direct consequence. There is no longer the “life” part in work-life (the weekends maybe, if you take out kid duty and household chores).
There’s no easy way out, and as much as I love everything being done in the name of scientific progress, I don’t like the cost we are paying for it as a society. We’re an unhappy bunch - this wasn’t the American dream, or any dream.
I think what’s increasingly missing is some culture - like non-commercial good music. People doing stuff because they were motivated by themselves - not commissioned art. Maybe what we need is a renaissance.
Why? To help people losen up a bit, so they can start to remember what living used to feel like. Then maybe, just maybe, people will also start to care more about each other. And dare I say, they might even have some time to volunteer in the service of others.
Also, I am not saying everyone fits the above narrative. There are people who do this today - they have dedicated their lives to service. But it’s not the norm, it’s not even 20% of the population. People like me are the norm. We wish well, we want what’s better. But wanting doesn’t automatically translate into actions - that requires motivation and dedication. Which comes from being inspired. And you can’t get inspired by anything when your life is about surviving each day.
In practice there are no built-in mechanics to deal with representatives. Wait X years for reelection is not the option.
Liquid Democracy would be a possible solution, in which you have the right to vote on all policy directly, or delegate and revoke your voting rights at any moment to a representative. That would be the only way to deal with representatives that promise one thing in campaigns and do something different once they are in office (aside from the many other benefits it would bring).
There is if the population agrees that the representative is not acting in accordance to wishes of the population: Off with their head – literally. What are they going to do about it with no head?
In practice, representatives by and large do act in accordance with the wishes of the constituency to the best of their ability. The larger problem they face is a constituency that doesn't want to be involved. I expect at least 95% of the population have never even spoken to their representative even just once. But the representatives are only human. They do not possess mind reading abilities, so they can only go on what the tiny fraction of the population who are active submit.
But, of course, the tiny fraction of the population who are active are probably not representative of the entire population as a whole, and so you get large disconnects even when the representatives are acting in good faith.
But ultimately that's just people.
edit: Further perspective: You need something that can perform a relay attack. You need someone with a powerful enough antenna to find the remote inside someone's home and relay it to a person near the car. This involves at least 2x CC1101's
> As you can see, small embedded antennas are very inefficient, however convenient. In all cases here, the antenna radiated less than 1% of the available RF power. Using a full sized high efficiency antenna has the potential to increase TRP by at least 20 dB, which is 100 times more power or about a 10x increase in communications range.
https://antennatestlab.com/antenna-education-tutorials/consu...
This is the type of device still available, far more useful and powerful than a banned FZ: https://www.analog.com/en/resources/evaluation-hardware-and-...
They banned a bunch of sport shooting and hunting guns because they look “scary” when criminals largely use handguns to commit crime.
Licensed gun owners in Canada are statistically the least likely people out of all to commit crime of any kind (let alone gun crime), as they are background checked every day. Let alone the fact that criminals use illegal black market handguns smuggled from the US to commit the majority of gun crime and won’t have a firearms license.
I own guns, wish I could own more, and dislike 'liberal' and conservative infringements of my rights equally, but at least get the claims straight.
Sometimes tech lowers the barrier to commit crimes and should be regulated.