Security Intelligence
Loading table of contents...
The Canadian government has decided to ban the sale, use, and importation of small portable penetration testing tools such as the popular Flipper Zero. The action is in response to increased car thefts in Canada, which according to the Canadian government, reached around 90,000 vehicles (or one car every six minutes) in 2023, resulting in $1,000,000,000 in losses.
It’s alleged that thieves have used the devices to copy wireless signals for remote keyless entry, enabling access and subsequent theft of the vehicle. Flipper users have published videos that allegedly demonstrate its ability to conduct replay attacks to unlock cars, open garage doors, activate doorbells, and clone various digital keys. Yet Flipper’s maker, Flipper Devices, firmly insists it can't be used to steal vehicles built within the last 24 years since their security systems have rolling codes. The company further claims that the device is intended for security testing and development and that the necessary precautions to ensure the device can't be used for nefarious purposes were taken.
Image 1: Flipper Zero device
Source: Bleeping Computer
Analysis
The Flipper Zero is a portable and programmable tool designed to help penetration testers and developers debug various hardware and digital devices over multiple protocols, including RFID, radio, NFC, infrared, and Bluetooth.
While it may be designed for security purposes, it has been involved in multiple nuisance attacks. For example, in October 2023 it was reported that the Flipper Zero, using a firmware called Xtreme, could aggressively spam devices with bogus Bluetooth connections. Fortunately, this capability was more of an annoyance than a threat since it cannot perform code execution on recipient devices or cause direct harm.
Given the number of Flipper Zeros and similar devices already in circulation, it’s unlikely that banning them will have much of an impact on reducing car thefts in the immediate future. Thieves will continue to use the devices they have on hand and procure more through black market channels when necessary.
However, the ban will impact law-abiding penetration testers who rely on these devices for legitimate functions. They will need to surrender their devices to authorities while criminals will go on using theirs for nefarious purposes.
Mitigation
To protect your car’s key fob from unwanted interaction with devices such as Flipper Zeros, Field Effect recommends keeping fobs stored away from doors and windows near the entrance of your home and securing them in an RFID protector while not in use.
