The tech used here is the popular Flipper Zero, an ethical hacker’s swiss army knife, capable of all sorts of things such as WiFi attacks or emulating NFC tags. Now, 404 Media has found an underground trade where much shadier hackers sell extra software and patches for the Flipper Zero to unlock all manner of cars, including models popular in the U.S. The hackers say the tool can be used against Ford, Audi, Volkswagen, Subaru, Hyundai, Kia, and several other brands, including sometimes dozens of specific vehicle models, with no easy fix from car manufacturers.
Manufacturers secure their vehicles against unauthorized repair, not against theft.
This article convinced me to buy a flipper (I’ve been debating it for years). It’s a super useful item that is absolutely going to get banned/hamstrung any day now for putting too much power into people’s hands under the guise of “public safety”.
I want it because it’s so easy to use. I’m no hacker, but with a tool as convenient as this I’m sure I can piece some useful hacks together.
“ethical hacker’s swiss army knife” I hate it when they always add “ethical”. First of all, when you say ethical you mean law-fearing, they don’t really care about ethics and, secondly, “regular” hackers use it too, so it’s just a hacker’s swiss army knife…
Dude, do you want individual hacking to become illegal? Because people who are not hacking daily are prone to forgetting that some hackers don’t actually act maliciously.
Also, yes, some hackers are ethical and do care. Not you, obviously. But some.
not doing something by fear of the law is not ethical. that said, some of them are ethical, but ethical hacker would mostly include grey hats, which they wouldn’t want because they can’t say illegal hackers use their device.
“ethical hacker” is not defined as “someone who only hacks in fear of law”. That’s my point. Hackers with ethics do lots of shit. Some of them work within the law, some of them work sideways to the law, but your code of ethics and your legal code aren’t quite the same thing, and you assuming they are is surprising.
I’m pretty sure that’s what’s meant by ‘ethical hacker’ in most cases and that’s why I wanted to point out the difference you are pointing out right now.
Yeah, I definitely read that as an effort to preempt the folks who were going to yell about how clearly this means the Flipper Zero should be illegal. Hacking has been so poorly represented in TV and films that there are a distressing number of people who don’t realize the term can even have a positive connotation.
I do not want any hacking device to be illegal, as they can be used for good(overthrowing the state and capitalism).
That’s what you think is good about hacking? That’s not how this works. That’s not how any of this works. That’s what you get when you get your education from TV.
Hacking means “misusing/modifying crap to work how you want”.
Ethical hacking is e.g. modifying devices you own to run software you want, like e.g. running homebrew software on a game console. It is finding and reporting security vulnerabilities so that companies can improve their security. It is modifying software or devices to e.g. removing privacy problems or tracking.
And ethical hacking and law-abiding hacking aren’t the same either, since some ethical hacking activities might be illegal (e.g. violating restrictions on modifying devices) and some legal hacking activities might not be ethical (e.g. using legal hacking to dox people).
And ethical hacking and law-abiding hacking aren’t the same either
I prefer saying ‘grey hat’ instead of ‘ethical hacker’ because ethical hacker is now used to mean ‘pentester’, ‘red teamer’ and all the other cybersecurity stuff, or so it seems to me.
that was the entire meaning of my comment, I clearly didn’t make it clear enough.
All of that is under the umbrella term of ethical hacker. Black/grey/white hat are some very outdated and unclear terms, and also terms that non-tech people don’t really understand.
Ethical hacker is a term that lay people also understand and because of that it has replaced the rest of these terms.
(And also, “ethical hacker” encompasses both the grey and white hat. So it’s not an equivalent term to “grey hat”.)
If you can hack a car with a flipper zero, then the car manufacturers failed to implement the most basic security protocols. Complain to them, and demand a fix.
TBF most of these are failures and exploits on older devices.
Which are a dime a dozen across the entire industry. Security is rather difficult, especially when considering exploits and bugs.
Ofc many of these ARE the results of cut corners, though many are just a lack of security awareness or old devices with known exploits discovered long after manufacturing.
Fucking real! My car (2016 Toyota Avalon) uses a rolling code for the transponder! It’s like one of the most basic things any manufacturer can do to avoid this shit! And it can’t be more than a few dozen lines of code (I’m no expert so this may be an exaggeration)?
Of course, this particular attack actually “works” with rolling codes (WILL desync your real keyfob), it requires the attacker to sniff one signal off your key (incl lock) and then they can spoof your key’s rollover protocol (and any button, not just the one they sniffed) to reset the rolling code back to 0 and allowing them access. Iirc it’s different from a standard replay attack in (definitely) that it can spoof other keys on the fob it hasn’t read, and (I think) that while a trad replay attack requires the car not to hear the signal when recording I believe that doesn’t matter with this attack.
Unfortunately I haven’t been able to test it out since I’m not buying a serial locked flipper firmware from some guy who just got out of prison selling it on telegram.
What if I only use the fob as a fob? I usually only use the touch pad to lock and inner handle’s proximity sensor to unlock, so the car is only range finding after initial sense.
If you literally never press the buttons, nor leave your keys alone with anyone else who could possibly push the buttons?
Then a guy with a $20 car unlock kit from Autozone can still get in. And so can a guy with a hammer, and a guy with a broken spark plug. Locks are suggestions, especially when you have windows.
And that’s not even to mention people with actual SDRs that can repeat your key’s signal and remote start your car, keep your fob in a faraday bag.
I totally got you in the weakness order of operation. I used to be a locksmith in a previous life in South Florida. Used to tell people they needed double sided deadbolt cause there’s a piece of glass next to it, and that they could also just climb through the window so if they were really worried they would want to put up bars or invisible hard screen. Also I am THE most techy person in my friend group and the most I’ve done is put together a tiny esp32 marauder with an old Bitcoin lottery miner, and even then my keys stay in my pocket. Plus it’s an almost ten year old car with 100k+ miles with a few dents and scratches. So I wouldn’t expect such a sophisticated stack especially considering the town I live in is only like ~50k pop.
locksmith
OH you know what’s up for sure then lmao.
Yeah tbh there’s nothing a flipper can do that you can’t do with a better tool, it just rolls a bunch of stuff into a digital swiss army knife of sorts. It’s not something a real car thief would use, maybe someone would use it to break into your car and steal something but a car thief would have something purpose built, or just go low tech if they can. You can run marauder on it too with the wifi board though lol.
