Share this article on:
The Canadian government has released plans to outlaw everyone’s favourite penetration testing “toy”, the Flipper Zero, in an effort to prevent people from using them for car theft.
The Flipper Zero is a penetration-testing device that is able to replicate infrared (IR) remote signals, allowing users to control devices that receive these signals, such as garage doors. It can also take radio signals from car key fobs and record them; however, reports suggest that this is often ineffective due to inbuilt security systems. RFID, NFC, Bluetooth and other signals are also available.
The Tamagotchi-looking device was first launched from a Kickstarter campaign, which raised almost US$5 million, smashing its goal of US$60,000.
However, while its intentions were purely for pen-testing purposes or for innocent pranks and experimentation, it has the potential to be used nefariously.
Now, the Canadian government has announced that Flipper Zero devices will be outlawed.
“Criminals have been using sophisticated tools to steal cars. And Canadians are rightfully worried,” said Canadian Industry Minister François-Philippe Champagne on X.
“Today, I announced we are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.”
The government of Canada had previously held a national summit on combating auto theft, which discovered that 90,000 vehicles are stolen annually, or one every six minutes. This reportedly resulted in CA$1 billion in losses every year.
The government’s Innovation, Science and Economic Development (ISED) department wrote that it would “pursue all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero, which would allow for the removal of those devices from the Canadian marketplace through collaboration with law enforcement agencies”.
The announcement ignited a significant wave of backlash, including from the Flipper Zero company itself, which asked for evidence of the device being used for theft.
“Dear François-Philippe, we’d appreciate it if you could provide any evidence of Flipper Zero being involved in any criminal activities of this kind,” the company responded.
“We’re not aware of any events like this and, frankly speaking, not sure what was the reason for this discussion to begin with.”
A cyber security researcher with the X handle @dragosr also pointed out that the ban could be incredibly harmful to the industry.
“You can use screwdrivers to steal cars too,” he said.
“Does this mean you intend to make sure Canadians don’t have access to any digital tools? Do you have any idea how this impacts the development of digital technologies and industry?”
“By the way, at my CanSecWest conference some researchers recently showed how to use a Raspberry Pi to relay Bluetooth to unlock poorly secured Bluetooth car locks. Does this mean you are going to try to outlaw computers too?” he said in a second post.
Flipper Zero also added that stealing cars made in the last 24 years was not possible using the Flipper Zero and that only older cars from the ’90s and before were at risk.
“Flipper Zero can’t be used to hijack any car, specifically the ones produced after the 1990s, since their security systems have rolling codes,” chief operating officer of Flipper Devices Alex Kulagin told Bleeping Computer.
“Also, it’d require actively blocking the signal from the owner to catch the original signal, which Flipper Zero’s hardware is incapable of doing.
“Flipper Zero is intended for security testing and development, and we have taken necessary precautions to ensure the device can’t be used for nefarious purposes.”
This is not the first ban Flipper Zero is facing, with Amazon banning the sale of the device on its platform since April last year after it was observed being used as a card skimming device.