An Automotive Locksmith On The Flipper Zero And Car Theft

Here in the hacker community there’s nothing we love more than a clueless politician making a fool of themselves sounding off about a technology they know nothing about. A few days ago we were rewarded in spades by the Canadian Minister of Innovation, Science and Industry François-Philippe Champagne, who railed against the Flipper Zero, promising to ban it as a tool that could be used to gain keyless entry to a vehicle.

Of course our community has roundly debunked this assertion, as capable though the Flipper is, the car industry’s keyless entry security measures are many steps ahead of it. We’ve covered the story from a different angle before, but it’s worth returning to it for an automotive locksmith’s view on the matter from [Surlydirtbag].

He immediately debunks the idea of the Flipper being used for keyless entry systems, pointing out that thieves have been using RF relay based attacks which access the real key for that task for many years now. He goes on to address another concern, that the Flipper could be used to clone the RFID chip of a car key, and concludes that it can in the case of some very old vehicles whose immobilizers used simple versions of the technology, but not on anything recent enough to interest a car thief.

Of course, to many readers this will not exactly be news. But it’s still important, because perhaps some of us will have had to discuss this story with non-technical people who might be inclined to believe such scare stories. Being able to say “Don’t take it from me, take it from an automotive locksmith” might just help. Meanwhile there is still the concern of CAN bus attacks to contend with, something the manufacturers could have headed off had they only separated their on-board subsystems.

61 thoughts on “An Automotive Locksmith On The Flipper Zero And Car Theft

  1. Unfortunately, the ‘non-technical people who might be inclined to believe’ problem is basic to the current state of our culture. Rapid (I almost wrote ‘rabid’) technological change will always leave the majority of people in the dust. Most people do not have the spare brain space to keep up, so they will always be susceptible to scare tactics. Get used to it.

    1. Hence the perpetual attack, the attempts to enforce back doors in encryption, the constant scares about immigrants, the leveraging of child abuse as a means to obtain access to private comms, monitor internet useage, CCTV on every corner etc. etc. ad-nauseum

      1. Although my first thought was “Heshe is an idiot” it’s possible that heshe is referring to employers legally importing H1-B visa folk instead of hiring Americans, which is also a serious issue and also involves chain migration.

    2. I wish politics were done by “experts” (here the quotes are because I hate using the word expert since it is likely imply high school level when experience (without proper schooling) should be good) just having in their field and not a random clown for everything…

      1. Exactly, politicians should be replaced by nominated or voted industry experts and they shouldn’t be able to affect the laws on anything that doesn’t concern them.

        Yes it would make the government more complicated but would also mean that it is competent people making the rules.

        What I see as a good idea is having a voted industry expert as the head or spokesperson for their industry with a group below them made of representatives from companies or universities, etc.

        I also don’t think it should be restricted to “technical” industries like software development or engineering, for example, farmers should be able to nominate their own local representative who is involved in making laws that would affect farms.

        If there are representatives from multiple competing companies involved then that might help prevent lobbying or similar practices as it is all there right out in the open in front of other companies who have a chance to contest it and hopefully as a result any laws should be fair and well thought out and immune to scaremongering.

        Again this would make the government much more complicated but should still be totally manageable.

        1. You’re saying that every politician should be an expert in everything? What will we pay these politicians? Why would they want to be a politician if they are an expert in everything?

          1. Politics used to be what you did after working for a few decacdes and getting bored with your job, so yes, you did wind up with a bunch of experts from assorted fields.

            Some countries still do this, mainly European and Nordic ones.

            I’m in Australian, very few of ours have ever had a “real” job. Except maybe the woman who once worked at fish & chip shop, but those skills didn’t tranfer well.

        2. Have you looked inside literally any regulatory body or looked up who wrote this or that legislation? That is exactly what is happening. It’s immediately used to raised the barrier to entry in the industry. Why would you assume it would be used wisely?

        3. Who are the people who are voting for the experts?

          Is it the average person? Who doesn’t know who an expert is?

          Is it a group of experts? But who decides who an expert is? Other experts? Then you get people campaigning to be included in the group of experts – and you’re right back where we are right now with a bunch of morons who can sweet talk people reel gud like.

          And ‘rule by experts’ doesn’t work because experts are, by their nature, blinkered – they know a lot within their field of expertise and little outside of it. But policy isn’t siloed. Its gonna have interactions with a wide range of things (think of the balancing acts needed for Covid – and how poorly governments managed that by *only* listening to public health experts).

          1. In an ideal world, politicians would be sensible enough to approach multiple bodies of expertise and form a solution based on the combined knowledge of multiple experts with varying biases and opinions.

            But we don’t live in an ideal world…

        4. Should factory engineers decide their emission limits, or should the environmental people do that? Either choice would ignore part of the issue.

          Should AI developers write acceptable AI usage policy? They probably understand it best, but might lack in caution.

        5. I have a mug that says “I read some s**t on the Internet, I’m an expert now”. I have met some so-called experts, including people with PhDs after their names, who have been factually inaccurate on what they “knew”, as well as jumping to conclusions when the question was just a smidge beyond their experience. But since I don’t have a 3 letter degree, I am not an expert, despite being able to cite 1. observation 2. theory 3. logic.

          And since logic+fact can’t trump the assumption of job title=”expert”, or degree=expert, or even worse, confidence=expert, much as I prefer a meritocracy, it’s easier to let politicians nominate themselves so we know at least one set of people whose bloviation we should always inspect with a microscope.

          1. I work in the health field and I’m confronted a few times a month by patients who want to argue a diagnosis or treatment because of something they saw on the Internet. I have a coffee cup in my office that says “Please don’t confuse your Google search with my medical degree.” I’m sure something similar happens in lots of other fields where “experts” are confronted by “non-experts”.

          2. “I work in the health field and I’m confronted a few times a month by patients who want to argue a diagnosis or treatment because of something they saw on the Internet.”

            At least in the US, in the 15 minutes allotted to my appointment with, if I’m lucky, an actual doctor and even then a different one each time, that individual has to glance at my badly incomplete records (thanks to laziness in the transition to electronic records and the amazing choices of what NOT to include in mine based upon the paper records they gave me) and make a diagnosis.

            I, on the other hand, with an IQ in the top 2 percent and all kinds of time to research my issue in detail and an ability to comprehend what I read AM the expert about my medical condition. I have been right and the diagnosis incorrect on multiple occasions.

        6. Much too often, “experts” have personal opinions that they like to use thier degree & “expertise” to promote. But the opinion is no better, and all to often, much worse than good old common sense.
          I personally don’t blindly trust anyone, and certainly not “experts”.

        7. I thinknit could be made much simpler. Any *ban* of any kind should have to have overwhelming support both publicly and with solid, grounded, scientific data. And in addition, the ban should have some profound positive effect that vastly exceeds its negative effect.

          A good example of totally scare monger “bans” would be something like lawn darts. Some guys kid got skewered while his older kids and neighbors were playing “lets toss the dangerous pointy object as high as we possibly can and then run for our lives” and it ended badly. Afterwards the man made it his life’s mission to kill that particular product. Now, in the grand scheme of things millions of these darts had been sold and over a few decades had resulted in only a couple deaths. Sure those deaths are tragic but they are not statistically relevant. If he had sued the maker and won enough money to make it not worth selling (for that company) that’s one thing, but its not how it ended. It ended with government regulatory action ending the product and restricting its import.

          Those types of stupid bans simply shouldn’t be possible at all. We should still be able to buy lawn darts. It’s not like their hard to make at home anyway. And stupid people will do stupid things.

        1. Exactly! And, in actuality, the elected ones aren’t the ones in ultimate control as is now being revealed in the US. They’re just the facade. A Princeton study showed that back in 2014:

          Testing Theories of American Politics: Elites, Interest Groups, and Average Citizens [Princeton University, 2014]


          A great deal of empirical research speaks to the policy influence of one or another set of actors, but until recently it has not been possible to test these contrasting theoretical predictions against each other within a single statistical model. We report on an effort to do so, using a unique data set that includes measures of the key variables for 1,779 policy issues.

          Multivariate analysis indicates that economic elites and organized groups representing business interests have substantial independent impacts on U.S. government policy, while average citizens and mass-based interest groups have little or no independent influence. The results provide substantial support for theories of Economic-Elite Domination and for theories of Biased Pluralism, but not for theories of Majoritarian Electoral Democracy or Majoritarian Pluralism.

          In the United States, our findings indicate, the majority does not rule—at least not in the causal sense of actually determining policy outcomes.

          When a majority of citizens disagrees with economic elites or with organized interests, they generally lose. Moreover, because of the strong status quo bias built into the U.S. political system [that describes the overwhelming influence of the administrative state and lobbyists – W], even when fairly large majorities of Americans favor policy change, they generally do not get it.

          To be sure, this does not mean that ordinary citizens always lose out; they fairly often get the policies they favor, but only because those policies happen also to be preferred by the economically-elite citizens who wield the actual influence.

    3. Only a very overly-technical person would think a carjacker would be a guy carrying around a trendy radio-hacking gadget. Any normal person knows exactly what a guy who steals a car would be using, it won’t ever be a souped-up Cybiko.

  2. Well if have access to the fob you can clone it

    Or try to hack can bus to synce a new key

    Lots of work and syncing a new key typically needs verification thru can bus…

    So could a flipper be used

    Yea, would you want to? No

    Easier to buy fob and hack it to sync another key

    You can sync more than one fob to a vehicle

    1. No, you can’t clone it. There is something called rolling code.

      There is the Rollback CVE that can be used and exploited, but it requires 3-5 SEQUENTIAL key press recordings.

      I’m not even discussing rolljam. It’s an interesting concept, but functionally useless for cars.

      1. With physical access to the fob, you absolutely can clone a large number of fobs (not all) that feature complex rolling encryption algos; it’s some of the most basic locksmithing you can do, and is usually the easiest way to get the customer a duplicate fob without having to “add a key” or do an “all-keys-lost” procedure! Again, this requires physical access to the fob and some basic locksmith equipment, and not all algos are clonable yet, but a large swath of them are.

        On certain models, specifically ones with proximity auto-unlocking, you can trigger the key fob remotely (usually with a simple RF amplifier/yagi antenna) and get the required number of sequential “key press” recordings, or just amplify the signal both ways and gain access to the vehicle – it’s all RF, and peoples’ vehicles are typically close to the fob in the house/apartment. Once started and in-gear, MOST vehicles usually won’t turn-off due to no fob being present as you’re driving. Combine this attack with the aforementioned cloneable chips, and you can make a legit fob easily.

        This doesn’t even go into the “immo off” attacks that can be performed/installed in minutes. Especially now that everything is interconnected via data busses, locating an exposed data bus is usually as easy as reaching through a fascia and knowing which wires to attach the immo-off emulator to. Yes, headlights can be connected to the main CAN bus for the projector leveling module. So can lots of other ridiculous things, such as ADAS (parking aid/blindspot/radar cruise/lane departure/etc….) modules (almost always located on the main High-speed bus!), fuel pump control modules (very easy to access), etc. From there, it’s just usually a j-box and an uploaded “tune” away from having a totally disabled immobilizer. Even these vehicles with “secure gateway modules” aren’t much of a challenge with the right knowledge and a $20 cable.

        Never doubt the ability for someone to hack something – if it can be made, it can be hacked with enough motivation.

      2. Ya, you can. Here in BC a guy got caught sterling a car with a Flipper Zero. To keep out of jail they showed how they did it with a Flipper. So stop saying it can’t be done with a Flipper. And those politicians talk to actual experts in the field.

  3. My car:

    Always takes me where I need to be and occasionally where I want to be and is comfortable enough.

    Is 14 years old.
    Has about 375,000km on it.
    Has been paid off for… I forget how many years.

    Ah, silly people who pay their next decade of could-have-been retirement savings on a shiny new car and the next two decades in interest on that loan… just to be worried all the time that someone will steal it!

    I guess someone needs to buy new to keep the factories going. Their chosen bondage to the bank funds my retirement!

    1. My car is 40 years old.
      Ive had it for 20.
      I paid $1500 cash
      Sunk $3k into it over the first 2 years
      Excluding tires, wipers, oil, filters, and fuel, Ive barely put that much into it since.

      Now INSURANCE, which Ive never made a claim on….
      Over $20K deep with no hope of relief.
      It would be nice if there was “Whole life” for cars instead of just term.

      You say your car has been paid off for “I forget how many years”
      So you too chose bondage to a bank?
      or are you as confused as your words confusing?

      a decade on a shiny new car and two decades on the loan interest? Really?
      Where on earth are you finding 30 year car loans?
      I dont think Ive ever heard of a car loan term longer than 6 years.

    2. Quite, indeed. A car doesn’t need to be either unused, recently made or expensive for it to be good. My car is from 2013, bought it second-hand for 7000€ and it has served me perfectly well so far and I haven’t had any good reason to even consider switching to a newer model.

      Sure, I’d like an EV with all the cool bells and whistles, but I can find so much better use for all that money that it just ain’t happening.

      1. I’d like an EV, but without all the bells and whistles.

        That’s a simple, stupid EV that just goes.

        I don’t want a touch screen “infotainment unit.” Give me a simple radio with Bluetooth, USB, and line in – and real buttons so I can feel where to push without taking my eyes off the road.

        I don’t want a built in navigation system. They suck and you have to look away from the road over to the infotainment screen to see which “turn right” out of the three streets in the next 100 meters the damned thing really means.

        I don’t want a lane assistant that tries to correct my driving. I’m driving far to the right because the freaking road doesn’t have a center line and the oncoming cars are taking their half of the road out of the middle.

        1. 2021 Toyota rav4 prime. Nothing newer or older. The battery is serviceable and upgradable by your average Joe. The computer system is completely documented. It has lidar, so you can install an auto driving system’s like openpilot if you want and it performs better than a Tesla.
          It has a full electric mode, but you can get 80mpg in gas mode if traveling long distances.
          This is THE hackable car.

    3. I’ve had older cars. I have learned that if you can afford cars that aren’t constantly on the verge of needing another repair, it’s probably worth it. The only reason I didn’t run out of money paying for rides when my car was in the shop for the umpteenth time was that I could borrow a car from family, and even then I had to be towed sometimes.

      1. If you buy an older car cheap, and expect it to run forever without issue youre signing up for disappointment.

        If you buy an older car, and play catchup on ALL of the previous owners neglect, rather than waiting for it to break down, Theres no need to worry. Well maintained cars arent in and out of the shop.

        1. As an example, I had a steering pump fail catastrophically at one point. The pulley shattered, impacting various other parts under the hood including the radiator which also had to be replaced. Before this happened, absolutely nothing was visibly wrong and it wasn’t due to be replaced so far as I’m aware. Any systematic plan I could have come up with for maintenance that was less aggressive than replacing every semi-accessible part regardless of age or apparent condition would have caused me to leave the thing in and would have had the same result.

          And for the cost of both buying an older non-classic car and replacing everything in it to restore it and make it like new, I could have saved time and money by buying something that was in better shape to start with, unless I was specifically looking for a project car.

    4. That doesn’t always work out. I bought a new car last year, because my then-16-yo car had the transmission go on it. When discussing getting the transmission rebuilt with a local shop, they noted the subframe had rusted and the entire engine compartment was beginning to shift *downward*. Sadly, the shop noted that the car was in pretty good condition, other than those two issues.

      Sometimes, it’s not worth keeping an older car (I’m looking at you, GM).

      1. Subframes dont just rust out. That takes years of neglect. In those 16 years, how many times did you get the undercarriage cleaned? Im betting the answer is ZERO rather than the 4 to 6 times per year thats recommended. 90% of cars issues can be attributed to improper maintenance.

  4. the truck I drive is a 2011,has keyless entry and remote start,but it wont move untill the steel key
    goes in the ignition
    now some could try and point out a certain lack of
    modern convienience except for the fact that I watch people,in a never ending doom loop,
    entering in thier lock screen codes
    and there it is,get the car ,not that hard,and with it
    comes most of the data on the owners phone,which would be otherwise hard(er),to get
    well at least for an honest physical goods thief
    of which there are not going to be many who have
    the cross platform skills,to gain remote entry capability,and then pick a physical lock

  5. There aren’t any significant number of criminals using sophisticated technical attacks. That’s a completely imaginary threat in the real world. Why would you go to all this effort? You’re already doing something illegal, so just sneak up with a gun while they’re entering the car. Or use a big screwdriver. Car thieves aren’t exactly equal opportunity, they don’t have a friggin ARRL license. Why pretend?

    1. You would be surprised. Dodge performance cars (Charger, Challenger, scats, demons, etc) are stolen SO often specifically because they are so vulnerable to technical attacks. There’s kids in major cities all over the US using rf signal relays/extenders, key cloning, and dlc connector attacks, and even sometimes wireless network connection of cars to steal them.

  6. The comment about cars that are vulnerable to the flipper not being new enough to interest car thieves isn’t super accurate. There are plenty of everyday regular traffic cars from the 90s and early aughts, even in the 10s that are extremely valuable. Many of them are worth 5-10 times what they were new, or at least 5 figures. Think supra, skyline, nsx, integra, GTI, etc. The older cars might not pull 50k+ like a newer car, but they also don’t have cameras, LTE, or GPS and are harder to track/find, as well as them not being protected as much.

    Don’t let your car’s age lull you into a sense of security.

      1. Lol your definitely not in touch with the tuner crowd. I’ve seen 15 year old subarus with 60k$ in mods, last gen twin turbo supras from the early 90s going for 70k in stock configuration (I remember test driving one that was 27k$ at the time back in 2000-2001 time frame. To think I could have put 3k miles a year on it and sold it for 50-70k 20 years later is just crazy.

        The last gen Toyota MR2 Turbos are really popular as well. The 90s and early 2000s were a golden era for sports cars buyers. It was before the insane SUV craze really took hold, the cars were powerful *and* lightweight which gave them a really aggressive and raw driving dynamic. Sure a top spec modern day accord has more total HP but is much heavier and far less balanced and “fun”.

        I loved my 1992 porsche 968. 200ish HP RWD 6 speed and super light and tossable. It loved to be driven. I loved my 2006 subaru WRX STI, and it’s 350 (stage 2) HP and amazing AWD system, but it was starting to inch up in weight and size. My wifes 2008 G35x sacrificed even more weight for a quiet and comfy ride while also still giving a nice edge and using a rock solid 6 cyl NA engine.

        Fast forward to 2024 and air, mpg and safety regulations are strangling modern sports cars. The safety regs have added huge amounts of bulk and weight to cars so they don’t get crushed by all the 5-6000 lb SUVs clogging roads now. Air quality regulations and MPG regulations are stricter for a car then they are for a truck/SUV (thanks to lobbying sadly). So now a sports car has a vastly more complex turbo or multi turbo engine with smaller and smaller displacement to meet MPG regs since the market is small enough manufacturers would rather use up their lower mpg volume on big money makers like big SUVs.

        So now a “sports car” (not a exotic or hypercar like ferrari, Bugatti, etc) is hamstrung by a small market, everyone switching to CVTs on smaller cars for fuel savings, complex low displacement high compression turbo engines, and lots of extra weight. And for all of that they mostly have less horsepower then they did 15 years ago.

        It’s telling that considering all of those factors the highest performance new vehicle per/$ I could find wasn’t a gas vehicle at all, it was a tesla model Y. The only one of those issues it suffers from is the extra weight. Yet only when compared to a sports sedan. Compare it to a similar suv and it’s about the same. The AWD bmw X5 is 12% heavier and actually has 16% less cargo volume (and when stuffing every nook and cranny the tesla actually has 36% more cargo volume, a benefit of not having a large engine up front or a transmission and AWD system and diffs).

        Affordable, powerful gas sports cars have mostly died. We will see if a EV version arrives to fill the void (think model 3, but 2 door and super focused on driving dynamics). Regardless, all of us petrol heads will still morn the loss of a roaring i4 turbo, a big V6, or a high revving v8, v10 or v12 and the joy of rowing gears in a manual.

  7. Misinformation from clueless people isn’t new though. Remember the old rumor of 5G schematic circulating, claiming it’s a schematic diagram of the covid-19 caused by 5G? Even long ago, people were scared of the new fangled radio towers for AM stations. If it’s something new that people don’t understand, they’d make mistaken assumptions. And embarrass themselves in the process if majority pointed out the truth with proof of truth.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.