Restricting Flipper Is A Zero Accountability Approach To Security
from the moral-panic dept
On February 8, François-Philippe Champagne, the Canadian Minister of Innovation, Science and Industry, announced Canada would ban devices used in keyless car theft. The only device mentioned by name was the Flipper Zero—the multitool device that can be used to test, explore, and debug different wireless protocols such as RFID, NFC, infrared, and Bluetooth.
While it is useful as a penetration testing device, Flipper Zero is impractical in comparison to other, more specialized devices for car theft. It’s possible social media hype around the Flipper Zero has led people to believe that this device offers easier hacking opportunities for car thieves*. But government officials are also consuming such hype. That leads to policies that don’t secure systems, but rather impedes important research that exposes potential vulnerabilities the industry should fix. Even with Canada walking back on the original statement outright banning the devices, restricting devices and sales to “move forward with measures to restrict the use of such devices to legitimate actors only” is troublesome for security researchers.
This is not the first government seeking to limit access to Flipper Zero, and we have explained before why this approach is not only harmful to security researchers but also leaves the general population more vulnerable to attacks. Security researchers may not have the specialized tools car thieves use at their disposal, so more general tools come in handy for catching and protecting against vulnerabilities. Broad purpose devices such as the Flipper have a wide range of uses: penetration testing to facilitate hardening of a home network or organizational infrastructure, hardware research, security research, protocol development, use by radio hobbyists, and many more. Restricting access to these devices will hamper development of strong, secure technologies.
When Brazil’s national telecoms regulator Anatel refused to certify the Flipper Zero and as a result prevented the national postal service from delivering the devices, they were responding to media hype. With a display and controls reminiscent of portable video game consoles, the compact form-factor and range of hardware (including an infrared transceiver, RFID reader/emulator, SDR and Bluetooth LE module) made the device an easy target to demonize. While conjuring imagery of point-and-click car theft was easy, citing examples of this actually occurring proved impossible. Over a year later, you’d be hard-pressed to find a single instance of a car being stolen with the device. The number of cars stolen with the Flipper seems to amount to, well, zero (pun intended). It is the same media hype and pure speculation that has led Canadian regulators to err in their judgment to ban these devices.
Still worse, law enforcement in other countries have signaled their own intentions to place owners of the device under greater scrutiny. The Brisbane Times quotes police in Queensland, Australia: “We’re aware it can be used for criminal means, so if you’re caught with this device we’ll be asking some serious questions about why you have this device and what you are using it for.” We assume other tools with similar capabilities, as well as Swiss Army Knives and Sharpie markers, all of which “can be used for criminal means,” will not face this same level of scrutiny. Just owning this device, whether as a hobbyist or professional—or even just as a curious customer—should not make one the subject of overzealous police suspicions.
It wasn’t too long ago that proficiency with the command line was seen as a dangerous skill that warranted intervention by authorities. And just as with those fears of decades past, the small grain of truth embedded in the hype and fears gives it an outsized power. Can the command line be used to do bad things? Of course. Can the Flipper Zero assist criminal activity? Yes. Can it be used to steal cars? Not nearly as well as many other (and better, from the criminals’ perspective) tools. Does that mean it should be banned, and that those with this device should be placed under criminal suspicion? Absolutely not.
We hope Canada wises up to this logic, and comes to view the device as just one of many in the toolbox that can be used for good or evil, but mostly for good.
*Though concerns have been raised about Flipper Devices’ connection to the Russian state apparatus, no unexpected data has been observed escaping to Flipper Devices’ servers, and much of the dedicated security and pen-testing hardware which hasn’t been banned also suffers from similar problems.
Originally posted to the EFF Deeplinks blog.
Filed Under: canada, flipper zero, francois-philippe champagne, hacking, pentesting
Comments on “Restricting Flipper Is A Zero Accountability Approach To Security”
Politicians and Infosec
“Just don’t look. You won’t find anything wrong that way. It’s perfect.”
Why arrest people stealing cars when you can arrest them for owning or buying a device!
It amazes me that the same cops that can’t catch containers of cars illegally leaving the country think they will be able to enforce this in any way.
Re:
Yeah, just look at Hertz. They will have you arrested just for driving their car.
Dolphin
They probably put a dolphin on it so car thieves can give it to kids on Halloween
Honestly, if a flipper zero can breach your systems defenses, then your system is using archaic defenses. If these is a production system, the people responsible for it (or maybe funding it) need to be mocked.
Re: THIS!!! JUST THIS!!! ABSOLUTE TRUTH!
I have a Flipper Zero, and it has been a very handy tool. It’s also motivated me to learn a little bit more about security; if it could crack its way into a car, is mine at risk from another owner? Nope. Some early keyfob cars are susceptible, but current electronic security is impressive (even if the keyfobs are grossly overpriced and take too much pocket space). Good security cards have similar protocols.
Basically, if your devices, businesses, or vehicles are vulnerable to the Flipper, then you need to stop purchasing your security devices off of Wish.
Have they outlawed Slim Jim?
How about a hammer?
Car thieves use a lot of tools.
Re:
No, thank God. They’re my favorite snack.
Just a small update to your cherry picked up topic...
Always enjoy the Techdirct articles/opinions. Not sure when this blurb was written but clearly out of date as provided not too long ago update (Mar. 20th) where the Canadian government walked back its absolute banning of Flipper Zero. It will still be available. Or perhaps to generate clickbait (honestly I do not see that happening here think articles/opinions are well written generally) ignoring the recent update or just a case “meh I had a good lead trashing those bloody canucks and dammit they changed positioned due to outcry” so going to stick with lead in for now. 😉
Overall I think good points in the made article just disappointed in the lack of diligence.
Re: Bah here is the link (buried in my user link above newbie mistake)
https://www.pcmag.com/news/canada-walks-back-ban-of-flipper-zero-targets-illegitimate-use-cases
Re:
….That update was noted and your PC mag article linked in the Techdirt coverage.
WTF are you talking about?
Re:
“Even with Canada walking back on the original statement outright banning the devices, restricting devices and sales to “move forward with measures to restrict the use of such devices to legitimate actors only” is troublesome for security researchers.”
Re: Re:
Dammit I missed that. Bah this what happens when you read but fail to comprehend. My apologies! Roast away well deserved!
Re: Re: Re:
Just some other things to note:
techdirt is not “hot news”, it’s a blog where many times you’ll get thoughts on something long after it occurs. (Thoughtful commentary usually takes time, as opposed to 500 hot takes while something is new or still happening.)
This is also a repost, even if it is less than a week old.
Have a good one.
I expect California and Florida to ban flipper zero
Disney plans to charge $2 every time you want to put something in the trash
A flipper zero could likely be able to hack that and let you throw something in the trash without paying $2 every time
I could see Disney lobbying legislatures in California and Florida to outlaw flipper zero in their states.
I could even see a lobby to amend the cfaa on that one
While it wouid likely violate state theft of service laws for evading the $2 payment, but it would not break the cfaa since you are not damaging the trash can itself or using ilan illegally obtained password
In short, anyone who used a flipper zero to bypass the $2 to use a trash can at Disney cannot be charged with any federal crime, though state level theft of service laws would apply
Re:
LOL – I don’t think so Tim.
Walt Disney World Will Begin Charging Park Guests $2 to Use Trash Cans? Labeled Satire
https://www.snopes.com/fact-check/disney-world-charging-trash/
Re: Re:
Also, that’s not Tim.
That’s the VPN-loving idiot
Re: Re: Re:
Using a VPN and then Tor on top of it.
The Feds can break into the database backend here and get the metadata and Mike will never know the feds were the because MySQL does not have any logging
Re: Re: Re:2
“MySQL does not have any logging”
MySQL Server has several logs that can help you find out what activity is taking place.
https://dev.mysql.com/doc/refman/8.3/en/server-logs.html
Re: Re: Re:2
As pointed out, you’re wrong about MySQL.
You’re also showing your ignorance by not know that relying on the logs of the target component is……just amature hour.
Re: Re: Re:
Ever watch the tv show “Home Improvement”?
Re:
“Disney plans to charge $2 every time you want to put something in the trash”
I don’t think so either.
What happens when people are charged to put things in the trash can? They don’t put things in the trash can.
What happens if trash isn’t put in trash cans? It makes a mess and makes the parks look bad. And Disney still wants to maintain their image of a squeaky-clean park.
Or did you mean this as satirical comment on how Disney charges for everything and it’s only a matter of time before they even charge for other things, like using the bathroom.
Re: Re:
One other thing to note about California banning Flipper,if that happens
You can bring one in by using a route where there is no inspection station.
Because California move the I-15 inspection station further north, it opened up one way to circumvent it.
You just go down by Laughlin, and take Nipton Road back to I-15, getting back on the interstate well south of the inspection station.
With this florescent light ban in California some businesses I have talked to are not going to comply. They are going to use the routes with no inspection station and bring back flourrscent tubes and then pay in cash so no bank trail.
A couple of neighbors who are business owners intend to do that.
If you are coming from Reno, take 395 south ho highway 88 over the Carson pass. There is no insoection station that route. It will add about 100 more miles.
People do that to bring in illegal fireworks on the 4th of July
If illegal fireworks can be brought in that way, the tubes for florescent lights can be bright in and Flippers, should California ban them, can also be brought in that way.
The state of California made a big mistake when they moved the I-15 station further north opening up that 150 mile route around it.
Re: Re: Re:
God damn, this is the dumbest fucking think I’ve read here.
Re: Re: Re:2
Using hwy 88 or going on Nipton Road to avoid the inspection stations does not break any laws
Also, giving information on how to do it does break any laws
Information is protected by the first amendment
Re: Re: Re:3
another bot
Re: Re: Re:3
Doesn’t make it any less fucking stupid.
Re: Re:
Charging for using the bathroom is something they already do in Britain, as I know since it cost me almost 30¢ every time I needed to use it while on vacation in York, so I can totally imagine Disney following suit.
Re: Re: Re:
In the US, pay toilets were declared unconstitutional some time ago.
Being an old fart, I remember the pay toilets in airports. There was always one stall on the end that was not a pay stall and they would never clean it. People would crawl under the door of a ‘clean’ stall to use it. Mad magazine had stickers in one issue where one of the stickers said, ‘save your dime .. it might just be gas.
Re: Re: Re:2
In the US, pay toilets were declared unconstitutional
No they weren’t lol. They’re still perfectly legal in most of the US, though quite uncommon.
The only federal US regulations are a requirement for employee access to restrooms under federal labor laws, and a requirement that public restrooms be accessible to people with disabilities under the ADA.
In the 1970s, campaigns to ban pay toilets were successful in about a dozen states and many cities. That had a ripple effect on public expectations regarding restrooms in general, and they subsequently mostly died out even where they remained legal. Similarly, many types of businesses provide customer access to restrooms even though they are not required to in most states/cities.
Re: Re: Re:3
My point is that using a Flipper to evade the charge for using a pay toilet or a pay trash can is no more than a misdemeanor ion either California or Florids, specifically misdemeanor theft
There are no felony charges Disney could press if they did have pay toilets or pay garbage cans and someone used something like a Flipper to use the toilet or trash can without paying
Re: Re: Re:4
” evade the charge for using a pay toilet or a pay trash can”
Because pay toilets and pay trash cans are a real thing and something needs to be done about it …. LOL
Isn’t that going to depend if security researchers are ‘legitimate actors’?
Re:
No, legitimate actors are cops and spooks.
So Flipper can look forward to being banned, and also having huge intel/LEO contracts!
Re: Re:
You can still sneak it in if you know how to hide it.
When I had my Cobalt, there was an easy place I could hide stuff I did not want found.
When travellingn to Canada’s wonderland I woukd keep a jammer hidden beneath the cupholder and snap up back in place. This was just in case, going through Michigan, some leo decided to stop me and use an erad, the device wouid be jammed, and that LEO wouid have have never been the wiser.
Because it was hidden under the cupholder, the cops cannot go tearing it out without a search warrant
Just charge it up at night and put it under the cupholder in the morning.
I never got stopped in Michigan, but was stopped in the conservative redneck part of Nevada once 9 years ago because that LEO initially thought I was some kid out in Daddy’s car. When I shave my beard and head completely I look WAY younger than I am.
After his erad did not work he did not suspect a thing because it looked like a malfunction. After looking for something to write a ticket for he just gave me the ticket and said “have a nice day” never being the wiser his erad device was being jammed because it was hidden under the cupholder.
While I like broke Nevada laws jamming his rear at that time I did not break any FCC rules using that jammer.
Jamming erad does not break any federal laws though it might have broken Nevada law when I did that
Since that time automakers no longer make it where you have that space under the cupholder. I think law enforcement might have had a hand in that.
The only thing I did not like about using that jammer is that Google maps did not work and I had to use an app where the maps were stored on my phone
Jamming 2g, 3g, and wifi, to prevent erad from working, did not break any FCC rules.
Re: Re: Re:
So very, very fucking wrong.
Re: Re: Re:2
While I certainly broke Nevada state law when I did that, I did not break any federal laws. While coujd ha e been pridecuted in Nevada for interfering with law enforcement there are no federal statytes I could have been indicted for
Re: Re: Re:3
You absolute imbecile:
https://www.fcc.gov/general/jammer-enforcement
Re: Re: Re:
How is this even a reply to the comment?
Could someone please explain why the cheap gadget that might potentially
help any bozo to steal a car is the focal point of so much legal attention? Maybe we should take a look at why car companies are happily selling cars that can be stolen by any bozo with a cheap gadget?
Re:
Banning the zero flipper is like banning TikTok. Get it?
Re:
Many politicians like to be viewed as though they are doing something productive whilst in fact they are doing nothing other than collecting campaign contributions.
I have been using VPN since 2002
Eurovision had Olympic rights from 2002 to 2012 and I used a VPN to bypass their geo restrictions becausethet were the best
There is no law in either Australia or the United States that makesbypassing geo fencing illegal.
There was and still no laws in either country that makes it a crime
Bad habits
Anyone else feel that we already have set a bad precedent for the bans of arbitrary devices given all the fuss over ‘circumvention devices’ (DMCA) and related nonsense which still has not been absolutely challenged?
This also has implications on if dissemination of source code that can hypothetically do ‘bad things’ is to be restricted. Of course it seems we just threw the First Amendment aside when it came to consideration.
Re:
The dmcs criminal statutes only apply if you do it fir financial gain.
Personal in home non commercial use does not fall under the criminal statutes
That is why 20 years ago when I wouid record drm protected tracks onti cassettes to have in the car was not a crime because I was ding it for my own private personal use and not being done for financial gain.
“Commercial or private financial gain” means making MONEY
Re: Re: Non-commercial != legal
Tell that to George Hotz. First person to enable app signing and low-level code execution on the PS3 and Sony still raked him over the coals until he agreed to never hack a Sony product ever again under threats of fine or prosecution.
Spoiler: Others figured out how to decrypt newer firmwares but were more careful in publicizing it in ways they could be found. I wonder why… /s
Re: Re: Re:
That is way different than when I recorded drm protected tracks to cassettes for the cat
Douing that for personal use only is not a crime
Recording to casewtes for use in the car did not break any laws
Ju
Re: Re: Re:2 Re:
DRM-protected tracks? From what source? Of course with audio the analog-hole loophole exists but for running legitimately obtained software on a computing device you own there is no analog-hole to save you.
Additionally alleged circumvention of DRM to run legitimately obtained software on your own hardware is not a crime in all places.
“We hope Canada wises up to this logic,…”
LOL
“To prevent the possibility of being attacked in your home, leave your fobs at your front door,”
This is what the Government tells you to do regarding theft after they have taken most peoples guns away or made it too much of a hassle to own them legally.
This comment has been flagged by the community. Click here to show it.
Of course you can have a home offshore and park a computer there with a VPN
Even if Vpm is blocked there is the trick I used at Taco Bell when I needed to access the server for my online radio station I had
I would first connect to my machine vis SSL on port 443 and then connect to my main VPN using the internal address of 192.68.0.1 instead of the external address for my network and their firewall let me through
Because I was using the internal address their firewall was fooked
Firewalls do not block 192.168.0.x, 192.168.1.x or 10.x.x.x because those are all internal addresses.
Using that “hole” in the firewall to access the VPN on.my servers did not break any laws in either Australia or the United States.
Bypassing filtering is not a crime im either Australia (where my server was) or the United States (where Taco Bell was), so I broke no laws in either country when I bypassed the Bell’s blocking of VPNs
Even if it were it would not matter because it was station policy to securely wipe and reinstall all station owned devices before crossing international borders
We did a lot figure skating coverage and I can say we broke no laws in these countries where we did figure sharing coverage
China
Alaska
Cuba
France
Germany
North Korea
South Korea
Malaysia
Qatar
Singapore
Mexico
Canada
Guatemala
There are no criminal statutes in any of those countries covering wiping station owned devices and reinstalling before travelling. We committed no crime wiping our devices and reinstalling
It is also not a crime in Australia to wipe station owned devices before returning to Australia
I do expect the cats to be amended to address this
I did read Where some students decided they were there to learn and did not be interrupted by other students cell phones so they used a Flipper to screw up cell phones in the room where the phones had to be factory reset before they would work again
The cfaa does not cover that but I would not be surprised if Congress does act on that.
The most that student coujd get was a misdemeanor vandalism charge in juvenile court and a suspension from school
There were no felony charges that could be laid fur screwing up other students phones and forcing them to do a factory reset to make them work again
Expect Congress to revisit the cfaa in the near future
Re: Um...what?
If you have a device that blocks or otherwise deliberately interferes with cell service, using it to do so is VERY illegal. Cellular phone service is considered a public utility, and the government will come down hard on you if you are caught doing such things. And should someone have a medical emergency and nobody could call 911, you would be in very deep shit, both in the criminal and civil courts.
Re: Me again
This guy was arrested:
https://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/
Re: Re:
In Illinois there are felint charges that do not exist in other states
For example they are the one state in the union where it is a felony to drive without a license
While he was subject to prosecution under state law there are no federal statutesvtgat applied.
Re: Re: Re:
AC:
“In Illinois there are felint charges that do not exist in other states
For example they are the one state in the union where it is a felony to drive without a license
While he was subject to prosecution under state law there are no federal statutesvtgat applied.”
somewebsite:
“In Illinois, driving without a valid license is a serious offense with significant consequences. …
Driving without a valid license is typically charged as Class B misdemeanor, which is a criminal offense,”
https://www.illinoisdriverslicensereinstatementlawyer.com/driving-without-a-valid-license.html
Is this a bot?