The Canadian government wants to ban Flipper Zero-type hacker tools to combat car theft (Updated)

Flipper Zero
(Image credit: Tom's Hardware / Pexels)

Update 2/13 2:47 AM PT

We have received a response from noted cyber security expert and author Freakyclown which provides more insight into the impact of Canada's potential ban.

Updated Story

During a recent national summit for combatting car theft, a Canadian government official, François-Philippe Champagne the Minister of Innovation, Science and Industry announced that the country aims to ban devices such as Flipper Zero, due to their use in car theft. 

In the press release, the Canadian government states that it is "Pursuing all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero, which would allow for the removal of those devices from the Canadian marketplace through collaboration with law enforcement agencies."

We reached out to Flipper Devices for comment and the response to the claim that Flipper Zero could be used to steal a car is something that Flipper Devices COO Alex Kulagin denies. “Flipper Zero can’t be used to hijack any car, specifically the ones produced after the 1990s, since their security systems have rolling codes. Also, it’d require actively blocking the signal from the owner to catch the original signal, which Flipper Zero’s hardware is incapable of doing,” said Kulagin. “Flipper Zero is intended for security testing and development and we have taken necessary precautions to ensure the device can’t be used for nefarious purposes.”

We've seen Flipper Zero being used to emulate RFID and NFC devices, but these are "dumb" devices when compared to car security systems. The rolling codes used in modern car security mean that a thief would need to intercept the user pressing the fob, capture the code, and then use it at a later date.  Flipper Zero is not able to block the signal. For that you would need a device from a nefarious source.

South of the U.S. / Canadian border, the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) analyzed Flipper Zero's abilities and produced the following statement.

"The popular, in-demand hacking tool went viral on TikTok in late 2022 and can be used as a positive, legitimate, and convenient way for pentesters and curious minds to learn about, access, and dissect signals and protocols. Demand continues to increase, limiting the supply and causing consumers to engage third-party vendors selling the product at higher costs. Threat actors are leveraging the high demand and low supply by impersonating social media accounts and official Flipper Zero vendor websites to interact with and lure potential customers into paying with cryptocurrency without actually sending them the device. Additionally, most of the posted TikTok videos reportedly may have been staged and provided misinformation, as most modern wireless devices are not vulnerable to simple replay attacks."

Will blocking the sale of Flipper Zero and other devices put a significant dent in the number of car thefts in Canada? Probably not. Co-Founder of Cygenta and former head of Cyber Research for Raytheon, Freakyclown, thinks that this will "stop innovation of security research and stem security getting better." Freakyclown also states that banning the devices won't stop criminals from buying them "because… *checks notes* criminals do not care about the law!" We asked Freakyclown for comment and their reply is reproduced in its entirety.

"Recently, there has been a surge of discussions surrounding Canada's potential ban on the Flipper Zero device, with proponents arguing it will curb criminal behavior and enhance security. However, a closer examination reveals that such a ban could have adverse effects on innovation in security research and might not effectively address underlying security challenges.

The Flipper Zero, a versatile hacking tool and educational device, has gained popularity among cybersecurity enthusiasts for its ability to explore and understand various security vulnerabilities. Despite its potential for misuse, advocating for its ban overlooks several crucial aspects.

First and foremost, banning the Flipper Zero would stifle innovation in security research. The device serves as a valuable tool for cybersecurity professionals and enthusiasts alike to analyze and fortify systems against potential threats. By prohibiting its use, we risk hindering the development of essential skills and techniques necessary for combating emerging cyber threats.

Moreover, the notion that banning the Flipper Zero will deter criminal behavior is flawed. Criminals, by their nature, do not adhere to laws and regulations. They are adept at finding alternative methods and tools to achieve their nefarious objectives. Thus, implementing a ban on the device might only serve as a temporary inconvenience rather than a long-term solution to combating cybercrime.

Furthermore, the Flipper Zero ban could inadvertently create a false sense of security. Instead of addressing the root causes of security vulnerabilities, such as inadequate system design or lax cybersecurity protocols, it offers a superficial solution that fails to address underlying issues effectively. True security enhancement requires a multifaceted approach that includes education, collaboration, and the continuous evolution of defensive measures.

Critics argue that focusing on banning specific devices detracts from the real issues at hand, namely the need for comprehensive cybersecurity policies and initiatives. Rather than resorting to knee-jerk reactions such as bans, policymakers should prioritize investing in education, fostering collaboration between industry stakeholders, and promoting responsible use of technology.

In conclusion, while concerns regarding the potential misuse of the Flipper Zero are valid, implementing a ban is not the most effective solution. Such a move risks stifling innovation, failing to deter criminal behavior, and providing a false sense of security. Instead, policymakers should focus on holistic approaches to cybersecurity that address underlying vulnerabilities and promote responsible innovation in the field. Only through collaborative efforts can we achieve meaningful progress in enhancing digital security for all. #CrimsGonnaCrim"

Thinking of taking your Flipper Zero on your next flight? Then make sure that it is in the hold, and not in your hand luggage. As reported by The Daily Dot, Vitor Domingos's Flipper Zero was seized by security at London Gatwick airport. During a conversation with airport security, which went "downhill", Domingos's Flipper Zero was handed over to the police, who have yet to return it.

Flipper Zero is a "portable multi-tool device for geeks" and has more in common with a Swiss Army knife than a specialized theft tool. If you are into cyber security, as a hobby or as a career, then its abilities and apps will give you the tools to audit your devices, and those of your clients. With the base device one can read RFID, NFC and many other sub 1 GHz radio devices. Bluetooth and Infrared and also well catered for, along with a basic GPIO which is compatible with the Raspberry Pi and Arduino type boards.

Les Pounder

Les Pounder is an associate editor at Tom's Hardware. He is a creative technologist and for seven years has created projects to educate and inspire minds both young and old. He has worked with the Raspberry Pi Foundation to write and deliver their teacher training program "Picademy".

  • peachpuff
    That'll stop them thieves 🙄
    How about tougher sentences for car thieves and more inspections of cargo going out of the country?
  • Giroro
    Hockey sticks can be used to break into homes. Canada should ban hockey.
    Also ban Robertson Screwdrivers.
    Also ban Quebec.
    Ban Alphabet.

    Ban everything. Who cares anymore? Did you know that if a hacker gets into your Gmail they can change your recovery information in under 10 seconds and permanently make your entire business/cloud/docs/android/ YouTube - everything permanently inaccessible and non-recoverable in an instant. Because Google has no phone number, email address, or ticket system. Just a completely useless password reset tool that can't do anything to get the account back and a pile of circular, contradictory, outdated help documentation that doesn't resemble the current version of their recovery page.... Which is just a standard login page.
    Think about it - if a major media YouTube channel had one disgruntled employee make it to the account security page, they could completely own the business by changing 4 settings and there's nothing anybody can do about it - because even VIP Google users can't contact google without first logging into their locked-out account.

    It's wild.
    Our entire digital lives operate at extreme risk at all time. So why even bother letting anybody do anything, ever?
  • ThomasKinsley
    I applaud the Flipper Zero because it shows how insecure our technology infrastructure is. One only needs to tap a credit card with the FZ and it fully clones the card. Can't help but wonder if Canada is banning the device because it makes their security measures look foolish.
  • bit_user
    Speaking of which, I recall that when drivers licenses and passports started integrating RFID tags, we were warned about the potential for attackers to steal them at a modest distance. Does anyone know the status of such exploits and whether I should really be carrying my cards in a RF-proof metal wallet of some sort?
  • sitehostplus
    So all they have to do is cross the border to the US, purchase them, and smuggle them back in.
  • InvalidError
    If you want to stop car thieves from using spoofed fobs, make the protocol bidirectional like private key and certificate exchange for SSL, then tighten protocol timing specs so there isn't enough slack to insert a repeater in-between.

    ... or even simpler and better IMO: go back to people having to either physically press FOB buttons or put the key in - the key is only RF-active on-demand, no remote activation. The idea that vehicles can be unlocked and started entirely by proximity with the key gives me chills and sounds like manufacturers begging for their vehicles to get stolen.
  • Notton
    Banning something from entering the country does prevent prevalence.
    In turn, it weeds out low skill thieves, and this is the vast majority of them.

    It's just like how you can't find Kinder Eggs in USA, but they are available everywhere in Canada.

    But yes, RCMP and provincial police have been proven to be self serving and lazy for quite some time now. It would be nice if they did the job they are paid to do.
  • InvalidError
    Notton said:
    But yes, RCMP and provincial police have been proven to be self serving and lazy for quite some time now. It would be nice if they did the job they are paid to do.
    It would be great if car manufacturers didn't add intrinsically unsafe features to their vehicles that make them so much easier to steal in the first place.
  • Furbo
    Simply ban car stealing. :devilish:
  • Co BIY
    InvalidError said:
    sounds like manufacturers begging for their vehicles to get stolen.

    Thieves usually total a stolen car even if recovered, insurance pays the owner, owner buys a new car, car manufacturer makes a new sale.

    Hard to see the down side for the manufacturer. Basically increases fleet turnover at little cost to them and they aren't blamed.