- cross-posted to:
- canada@lemmy.ca
- cross-posted to:
- canada@lemmy.ca
You must log in or register to comment.
The problem, of course, is distinguishing between harmless and harmful use. There are painfully few things that are objectively good or bad.
The device only gives easy access to already extremely weak/non existent security systems. That’s literally it.
It’s just something that’s existed forever, but put into a convenient package and marketed well enough that suddenly normal people are realising how insecure their electronic systems actually are.
Kinda like how they used to make pacemakers hackable because they never thought to add any security at all. I bet many of them still don’t.
Anyway, the issue lies not with this device, which can’t “hack” anything with any actual security, the issue is with manufacturers making devices that literally leave the door wide open to anybody with an extremely basic electronic sniffer/cloner device.
Yep you can do the same operations with a RTLSDR (20-40$) and a signal repeater (20ish) and raspberry pi/netbook. It’s somewhat harder to do if you don’t know the software but it really just exposes very insecure hardware. Companies should put a semblance of security and it would take care of things. These kind of devices are everywhere not just the flipper. Flipper just made it a tiny bit more friendly.
canada just streisanded me into obtaining one of these. i cant wait to play with it
even in its anger, canada helps. thanks!
I have one and I highly recommend the wifi card. I also have a slightly working Carbon Dioxide sensor - I say slightly because it’s readings are consistently off when compared to my Aranet. Supposedly there’s a way to calibrate, but I haven’t had time to dig into it further.
My only issue with the device is that I wish there were more tamagochi elements to the dolphin buddy.
tamagochi elements to the dolphin buddy.
hahaha thanks! i love the idea of the co2 sensor
The Wi-Fi card is a must in my opinion. Learning about EAPOL handshakes, hashing, cracking and list vs masks was an awesome use of some 200 hours. Obviously I only used hardware I own and configured, but boy do I feel like Mr. Robot lol.
Ah yes banning the tool will 100% take care of the problem.
Clearly criminals who steal cars will DEFINITELY listen to this new law banning their tools.
That said, this is the argument that gun-owning cowards use, so does it fall under the “How do we stop this happening, says only country in the world where this happens regularly” category?
Probably a wise move to nip it in the bud
We just need to make crime illegal 👌
That’s the main issue here, the flipper isn’t useful in car theft
I guess it could steal maybe some 90s cars with remote fobs, but I don’t think it can do modern keyless entry cars in any useful way.
Not only that, you can easily buy more advanced car stealing tools that are made for this purpose from Chinese websites.
This is the best summary I could come up with:
Presumably, such tools subject to the ban would include HackRF One and LimeSDR, which have become crucial for analyzing and testing the security of all kinds of electronic devices to find vulnerabilities before they’re exploited.
This slim, lightweight device bearing the logo of an adorable dolphin acts as a Swiss Army knife for sending, receiving, and analyzing all kinds of wireless communications.
People can use them to change the channels of a TV at a bar covertly, clone simple hotel key cards, read the RFID chip implanted in pets, open and close some garage doors, and, until Apple issued a patch, send iPhones into a never-ending DoS loop.
The price and ease of use make Flipper Zero ideal for beginners and hobbyists who want to understand how increasingly ubiquitous communications protocols such as NFC and Wi-Fi work.
Lost on the Canadian government, the device isn’t especially useful in stealing cars because it lacks the more advanced capabilities required to bypass anti-theft protections introduced in more than two decades.
The most prevalent form of electronics-assisted car theft these days, for instance, uses what are known as signal amplification relay devices against keyless ignition and entry systems.
The original article contains 617 words, the summary contains 195 words. Saved 68%. I’m a bot and I’m open source!
I can’t be the only person who reads “I’m open source” with the same cadence as “I’m on a horse” then hears the Old Spice jingle in my head, can I?
Well in any case, if you were the only one, you aren’t anymore.
I see how that might make sense to lawmakers. It does present itself as a problem. But the fact that it is a symptom of a security issue is the reason it shouldn’t be outright banned. I haven’t used the thing, but it has looked to me like a pretty snazzy multitool.
It’s like banning swiss army knives. I can see why it looks like it makes sense, but it really doesn’t.
It reminds me of a lawmaker in one of the flyover states that wanted to make it illegal to look at the source code of a website.
Think about this for a second.
And realize that this twat is writing laws.
I had not heard of that one. Was it the “internet is full of tubes” guy?
What’s wrong with that “a series of tubes” speech? It seems pretty accurate to bandwidth
Edit: Searched it up. The part that was wrong was him blaming email delays on bandwidth.
No, it was a few years back when a researcher found that there was a plain text file of county employee social security numbers just sitting inside the JavaScript of a government website.
There are too many Google results from the upcoming election for me to sort through but suffice it to say, the guy was a class A idiot.
I don’t think so, but it was in response to some smart people developing their government website with the database stored basically in the HTML of the website if I remember correctly. A good Samaritan reported it and was basically charged with hacking the state.
A good Samaritan reported it and was basically charged with hacking the state
Wait, really? What would I search to read more about this? Do you remember which state?
I remember hearing about this, so I tried searching for someone “being charged after reporting personal data exposed on a website”
Turns out, it’s Missouri, 2019, or another article on the same topic
Holy shit, that governor really made an ass of himself. He just kept doubling down lol
Thanks for the links!
The problem with this is that reading the generated HTML behind a page that has been served to your browser does not prove that data was stored in an HTML source file. The data is inserted into the page while it’s being served to the browser. That’s what the JavaScript does after it requests the data from the backend code, which gets the data from the database (or whatever storage is being used) and sends it back to the JavaScript, which puts it in the page.
Saving data in source HTML files would mean every possible combination of data anyone might request must be saved in its own separate file, which is definitely not how web development is done. Laws should not be made by people who don’t know what they’re talking about.
Happened around 2021-10-15:
Missouri Gov. Mike Parson said that his administration is pursuing the prosecution of a local newspaper reporter who alerted the government to website security flaws.
It’s in the following sources, at least: TechCrunch, NPR, NY Times
I’ve been watching flipper since it was announced. I should probably buy one and play with it.
All this is going to do is increase sales of the thing and probably increase the number of “kids” trying to break into cars. Streisand effect ftw.
I have one.
Its fun.
But on the subject of rolling codes, I was able to get through a security gate that relies on, essentially, a garage door opener.
The exploit relied on the ridiculously low amount of rolling codes it cycled through.
Capture one, and try it a few times to get through.
Cars are more robust. Despite tinkering with it for about 8 hours, I wasn’t successful with defeating it. That being said, I picked up the device, in part, to start messing around with various signals as an educational tool.
I really should get one. I should also grab the latest version of kali (if that’s still around), I haven’t played with that in a long time.
Kali is still around, I last did an install ~6 months ago, I think?
That got put on the back burner though, not because of the flipper, just life.
It is: https://www.kali.org/get-kali/
I should add this and flipper to the list of things to play with at some point soon.
The real problem is Flipper Zero is just a nicely packaged tool that can also br easily assembled with other off the shelf parts. And those parts alone can do many other things that should not be made illegal. The real solution should be from car manufacturers and ensuring that they don’t use tech that can be so easily hacked.
It’s like banning swiss army knives
That’s why we went forth and banned everything swiss, army, or knive, altogether
Now I have to put holes in my own cheese using my own secret, illegal methods
Yes, this one right here, Mounties.
There is nothing this thing can do that a dedicated hobbyist couldn’t replicate with parts bought off the shelf at a RadioShack, so where does the line get drawn
We don’t have any Radio Shacks anymore 😞
I miss Radio Shack, but also I feel like toward the end there the workers wouldn’t even let me breathe.
Because they were desperate to cell cellular plans a d credit cards because nothing else in the store made money.
Clearly they should ban RadioShack… Wait…
Ya but, you can’t steal cars with this unit.
If our politicians are not the laughing stock, they should be.
They’re too busy profiting from all of the illegal activity in this country. Organized crime is absolutely thriving in Canada because the people in charge are allowing it to occur.
Read everyone, this is hype, and Canada is being dumb on this one.
The Flipper Zero is also incapable of defeating keyless systems that rely on rolling codes, a protection that’s been in place since the 1990s that essentially transmits a different electronic key signal each time a key is pressed to lock or unlock a door.
Most of this reaction is due to staged videos on TikTok and politicians not understanding technology. Maybe they’ll stop a few joyriding kids, but car thiefs aren’t using F0s.
Politicians passing laws based on things they don’t understand?
Quelle surprise.
But also:
a protection that’s been in place since the 1990s
That’s not necessarily a guarantee, c.f. Hyundai and Kia’s lack of ignition locks.
The lack of arrestors is the issue there and the company should be liable.
Politicians passing laws based on things they don’t understand?
aka virtue signaling
Another way of saying that is moral grandstanding, which I kind of like better. I like the imagery of grandstanding, especially when describing politicians.
That’s not a thing in Canada. Our motor vehicle standards require immobilizers.
That’s because you all up there in America Lite hate capitalism, freedom, democracy, eagles, and baby Jesus.
Isn’t it possible for someone to code a code-roller onto the flipper zero app store?
Probably possible but the thing would be running for hours or days to crack the code. That’s not really useful for a quick hack.
If so I’m sure someone can find this app and show its been done?
With a jammer it’s definitely possible to bypass rolling codes with Flipper, but it’s only temporary and has limited usefulness
It’s pretty difficult, you need to get the rolling code from the fob, but you also need to jam it so it doesn’t reach the car.
Then you have one opportunity to replay the code before the holder of the fob hits the button in range and rolls the code over.
So even if you manage to set that up that only gets you in the car, it doesn’t get it started.
Yes correct, just pointing out that it is technically possible to get around the system
That isn’t bypassing rolling codes, that’s capturing a single code while preventing it from reaching the car.
And once the code is used once, or the fob gets a new code to the car, the previously captured code is useless.
This isn’t the same thing as bypassing rolling codes.
Hmm, I don’t know the precise terminology, I meant bypass as a way to temporarily get around the rolling code system without actually breaking the code itself. You’re probably right though
If the flipper can help you stealing a car, the flipper is not the problem, but the neglect and incompetence of the car company is.
I have a car stealing flipper right here. It’s a screwdriver, $3.
Oh right, forgot about this little thing. Had my eye it long time ago, but forgot about it. Thanks for reminding me Canada. Should probably read up on Streisand effect.
They are a fun little tool for hardware hacking and teaching yourself more about what it can do. I bought one last year.
Can you even buy these without ending up on a list somewhere? Since its only sold online this feels like the kind of thing that gets you on a list
I know of a mattress company that you can only purchase from online.
The only list it gets you on is a mailing list about their mattresses.
Mattresses vs Contraband. I wonder if the government monitors web traffic to the contraband website.
Ok I see why you guys might think this guy is being dumb, but having spent some time on Agora with all the honey pots, it’s not too crazy.
That said, it’s probably much less likely here my dude.
This is about more than just cars. Anything that uses RFID, NFC, etc, such as an employee badge or even contactless credit/debit card payments, are vulnerable to such an attack.
Regardless of whether it’s open source hardware/technology, should we be authorising sales of such prebuilt devices for $170 which can allow the average Joe to break into an office or steal a car?
Here is an alternative Piped link(s):
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
did you read the article? the flipper can essentially “break into” next-to no cars produced after 1990
Should ‘we’ be ‘authorizing sales’ is an interesting choice of words imo also, nothing negative just saying it made me question who the “we” part really is, and if something being sold has thus been authorized by some all powerful body
Yes we should allow them, because the problem isn’t that this tool is available. The problem is that cars and other devices aren’t more secure.
If you broke into a bank vault with a screwdriver, you don’t ban screwdrivers; you get mad at the bank.
“It’s really easy to duplicate keys for this car, let’s ban key makers.”
While we’re at it, let’s make theft illegal
Car security is horrible
I bought a copying remote from aliexpress thinking “no way my car has a static code and not a rolling one… right?”
Nope, fuck you Kia, any stupid cheap remote from aliexpress can be used to copy keys from a surprising amount of cars.
Car security should improve and I hope this becomes a big enough issue that it get’s better regulated
I would have expected an OTP type code to unlock a car… Considering how expensive cars are, this is really cheap to implement. Heck, I could buy a yubikey for €25, and I’m sure if a big company wants to buy a million of them, they can do it for a fraction of that cost… A brand new car costs tens of thousands…, it should’ve been a no brainer to include better security.
Yeah, but savin 1.50 per car improves some stupid business performance indicator, which respectively will get some manager a nice bonus.
I believe you, this world is so weird… For companies that make tens of billions in profit, saving a million dollars on chips is almost a rounding error compared to the benefit to their reputation when their cars are more secure.
Ever since I first met the insanity that are business indicator numbers, I lost my believe in humanity. People knowingly hurt their companies effectiveness and prosperity just to improve those numbers. And they get rewarded for it.
