The Flipper Zero is a handheld 'hacking device' that allows tinkerers to send and receive radio signals. (Flipper Zero)
There’s a saying that nuance has no place in politics. There are few better examples than the February announcement by the Federal government to ban ‘hacking devices’, such as the Flipper Zero, to combat vehicle theft.
Although vocal opposition has led the government to announce that it will be re-examining the precise wording and restrictions placed on the Flipper Zero and devices like it, this entire saga reveals an arguably backwards conception of the problem this ban aimed to solve.
Arising out of a nationwide summit of federal, provincial, and municipal officials with the aim of combatting automotive theft, the government identified the phenomenon of tech-savvy hackers using wireless devices to intercept and mimic key fob codes. This apparently allowed them to open modern cars as though they had your set of keys. The Flipper Zero is a high-profile example of a device alleged to be able to perform such feats, advertising itself as a Swiss-army knife of the tinkering world – calling itself the “multi-tool device for geeks” on its website.
On paper, the policy and approach of the government makes sense: if hackers are using publicly available devices to break into cars, then we should ban those devices. Besides, it’s not as though “car thieves” are a large voting bloc the government needs to worry about appeasing. Despite the seemingly simple solution, however, not only are the governments attacking the wrong devices, but arguably they are going about this problem from the wrong direction entirely.
While key fob spoofing was a favoured tactic of car thieves in the early 2010s, changes in how wireless car locks work mean that devices such as the Flipper Zero aren’t actually able to break into modern cars, something noted by Guillaume Ross, a security expert speaking with the CBC. So while talking a big game, the government's high profile action taken against the Flipper Zero would do little to address modern vehicle theft, the very reason for its banning in the first place.
All this ignores a larger, fundamental problem with the government’s approach, however. Car thieves, by their very nature, are not averse to breaking the law. Miniature computers are readily available, and while the Flipper Zero may lower the bar to entry for some beginner hackers, much of the same functionality can be created modifying a product such as the Raspberry Pi (available as cheaply as $7 at the time of writing) or even with some phones. A policing source for the CBC even admitted that despite bans in place for other hacking devices, they remain widely available.
The key take-away is that trying to stomp out ‘hacking devices’ is a game of whack-a-mole: you can go after the darling of the hacking scene one week, but another will rise to take its place before long.
A ban on ‘hacking devices’ also poses another challenge: definition. What is a “consumer hacking device”, to quote Minister Champagne, exactly? Any computing device can be used for hacking, from your laptop or phone to a Amazon Fire TV stick in a hotel room. Attempting to seriously enforce such a vague definition inevitably leads to exclusion of some (which renders a ban to have muted impact) or over-inclusion of others, resulting in innocent tinkerers having computing devices confiscated by customs.
What is the solution, then? It’s simple, at least in theory: pressure the car manufacturers, who have allowed numerous vulnerabilities to go unchecked, to be more rigorous and proactive in identifying and closing vulnerabilities, either through internal checks, or by responding more rapidly to publicly identified attack vectors on their cars. While less politically flashy and requiring more intensive work on the part of the government, if the goal is to truly address the issue of auto theft by impeding a hacker’s ability to access and unlock modern cars, the issue has to be addressed at the level of the vulnerabilities themselves.
In a perfect world, where people are victimized by criminals stealing property, the action should first and foremost be to go after the criminals – but this is not a perfect world. Auto-makers should not be allowed to continue to allow vulnerabilities in their products run rampant and shirk responsibility on those who take advantage of them, and we as consumers should not be so quick to applaud action that on its surface seems to make sense while leaving the underlying issue untouched.