The government of Canada has its sights set on banning the Flipper Zero, an adorable handheld hacking device that is cherished by security researchers and hobbyist hackers and has gained a sizable following on TikTok.
The device is modeled and named after the virtual dolphin from the movie Johnny Mnemonic, and it’s essentially a Tamagotchi you can use to hack stuff. Flipper can scan radio frequencies and clone key fobs, control infrared-based devices, and is generally a kind of Swiss Army knife for security researchers, who actually use it to improve device security. It’s also used by hobbyists who like playing around with computers, and more generally it’s just really adorable. But there’s a lot of misinformation floating around about its capabilities due to bombastic—and often staged—videos on TikTok and other social media platforms.
Flipper’s popularity has resulted in the device being named as a target in an upcoming National Summit on Combating Auto Theft, where the Canadian government claims, without any evidence, that the device is being used to steal cars.
“Criminals have been using sophisticated tools to steal cars. And Canadians are rightfully worried,” wrote François-Philippe Champagne, the Canadian Minister of Innovation, Science and Industry, in a tweet. “Today, I announced we are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.”
Canada does have a problem with car thefts at the moment tied to organized crime networks, but there’s no evidence that Flipper Zero is playing a major role in these thefts. The Flipper Zero scans frequencies and records signals that can be replayed. While the Flipper Zero can do this for a car key fob, allowing a user to open a car with the device, it only works once due to the rolling codes that have been implemented by car makers for 30 years, and only if the key fob is first activated out of range of the car. More effective approaches used by criminals involve actually plugging a device into a car with a cable or employing a “relay” (not replay) attack that involves two devices—one by the car and one near the fob, which tricks the car into thinking the owner is nearby.
Champagne linked a press release for an upcoming national summit where government will be “Pursuing all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero, which would allow for the removal of those devices from the Canadian marketplace through collaboration with law enforcement agencies,” according to one the conference’s agenda items. The press release does not include any evidence that the device is being used for auto theft.
Naturally, this has riled digital rights groups and sections of the hacker and cybersecurity community, who are both upset and unsurprised that the Canadian government has their beloved Flipper in its crosshairs.
“We shouldn’t be blaming manufacturers of radio transmitters for security lapses in the wireless unlock mechanisms of cars,” Bill Budington, Senior Staff Technologist at the Electronic Frontier Foundation, said in a statement to Motherboard. “Flipper Zero devices, because of their ease of use, are convenient scapegoats to blame for gaping security holes in fob implementations by car manufacturers. Banning Flipper Zero devices is tantamount to banning a multi-tool because it can be used for vandalism, or banning markers because they can be used for graffiti. Moreover, tools like the Flipper Zero are used by security researchers involved in researching and hardening the security of systems like car fobs—banning them will result in tangible harms.”
Canadian digital rights group OpenMedia concurred that banning the Flipper Zero would do more harm than good.
“A ban on sale of general purpose tools like the Flipper Zero will do more to hurt than help Canadian cybersecurity,” said OpenMedia Executive Director Matt Hatfield. “The core problem here is the vulnerability of the keyless entry systems cars are using, not the fact that ordinary technology can reveal this vulnerability. By blocking the lawful sale of these devices, Canada will make it harder for cybersecurity researchers to do their work of testing vulnerabilities and informing the Canadian public, while doing little to prevent motivated car thieves from acquiring tools and exploiting these vulnerabilities.”
When reached for comment, Flipper Devices COO Alex Kugalin reiterated that modern cars are largely protected from the simple attacks the device is capable of. “Flipper Zero can’t be used to hijack any car, specifically the ones produced after the 1990s, since their security systems have rolling codes. Also, it’d require actively blocking the signal from the owner to catch the original signal, which Flipper Zero’s hardware is incapable of doing”, said Alex Kulagin, COO of Flipper Devices. “Flipper Zero is intended for security testing and development and we have taken necessary precautions to ensure the device can’t be used for nefarious purposes.”
The company pointed Motherboard to a January 2023 alert from the New Jersey Cybersecurity & Communications Integration Cell, a state organization. The alert stated that “most modern wireless devices are not vulnerable to simple replay attacks” and added that the Flipper Zero is unable to make purchases using signals captured from contactless credit cards. The alert also pointed to reporting from Wired that stated most of the dramatic videos on TikTok showing a Flipper Zero being used to steal a car are likely staged.
The proposed ban prompted bemused reactions from cybersecurity professionals on social media. “The only thing that can stop a bad guy with a Flipper Zero is a good guy with a Flipper Zero. I have a right to protect my family and community,” wrote security researcher Wesley McGrew, in a cheeky tweet referencing the frequently-used pro-gun rhetoric. McGrew also responded to Champagne’s post with a “Come And Take It” meme spinning off the popular libertarian slogan.
Security experts lined up to lambaste the Canadian government and its insistence that the device is enabling crime. “Instant reactive thought… Isn’t stealing a car already a crime – that the criminal is ok breaking?” wrote security consultant Josh Corman.
Others mocked the government’s belief that devices like Flipper Zero are dangerous and all-powerful hacking tools. “I don’t find the Flipper to be that useful. Its built-in radio frequency support is barely more than you get from a good rooted phone. And I was unable to purchase the RF frequency modules because they were sold out. But imagine that this is considered a threat!” wrote Matthew Green, a professor of cryptography at Johns Hopkins University.
Jordan Pearson contributed reporting to this article.
This post has been read 42 times!