So, rather than hold automakers accountable for not having proper and effective security practices you focus on a tool designed for security professionals.
This take is so unbelievably brain dead I'm surprised these people are able to breathe without machine assistance
Auto makers are really bad about it. CAN Injection has been a thing for a while now. Cars are going IoT, and a flipper will be the least of the vulnerabilities as things progress.
Flipper Zero Multi-tool Device for Geeks
Flipper Zero is a portable multi-tool for pentesters and geeks in a toy-like body. It loves hacking digital stuff, such as radio protocols, access control systems, hardware, and more. It's fully open-source and customizable, so you can extend it in whatever way you like.
Flipper Zero is a portable multi-tool for pentesters and geeks
multi-tool for pentesters
pentesters
Pentester or penetration tester is a cybersecurity professional that can be located on red team (offence) or blue team (defence) and works to determine potential vectors for attack that need to be rectified or exploited, depending on who they're working for and what their goals are for their employer.
Just because what you consider immoral or moral individuals use it doesn't change the inherent nature of the tool to be used for specific circumstances. You'll also notice I didn't put any deterministic language when describing a penetration tester, because regardless of what side of the law they're on they're still cybersecurity professionals, it's just that one side happens to pay better.
A knife can be used to dissect as well as it can be used to mutilate or even vivisect. How a tool is used is determined by the user not the creator.
Complaining that a few people use the item for nefarious purposes when the majority of problematic cases are issues at the developer level for the items being affected (i.e. vehicles) is extremely short sighted. Are you going to restrict all PC's because they can be used for network intrusion?
Are you going to limit access to the internet because the freely available information can teach anyone to create a dirty bomb?
The premise of your outlook is inherently erroneous in my opinion.
I'm not talking about the uses for the tool, I'm talking about how you used the company's own website as a point of reference for the tool's capabilities. They have a profit motive so of course they're not going to advertise unsavory uses for their product, just like your knife companies aren't going to advertise that their product can be used for mutilation.
The irony of you saying I am the one being pedantic is seriously hilarious.
You should probably work on your reading comprehension and critical thinking skills.
The entire premise of your argument is 'only criminals use this tool' or 'the majority of users of this tool are criminals' when that is fundamentally and objectively incorrect.
You clearly lack any serious experience in computer science, let alone cybersecurity, and it shows.
I can buy lockpicks, slimjims, and all sorts of other locksmith tools made specifically to gain access to cars quickly and easily. And I could have been doing so for way, way longer than the Flipper has existed.
I think people need more visibility over the electromagnetic spectrum, not less, to catch car thieves. This needs to be white hat into a car theft attempt detection kit.
I would have expected an OTP type code to unlock a car... Considering how expensive cars are, this is really cheap to implement. Heck, I could buy a yubikey for €25, and I'm sure if a big company wants to buy a million of them, they can do it for a fraction of that cost... A brand new car costs tens of thousands..., it should've been a no brainer to include better security.
I believe you, this world is so weird... For companies that make tens of billions in profit, saving a million dollars on chips is almost a rounding error compared to the benefit to their reputation when their cars are more secure.
Ever since I first met the insanity that are business indicator numbers, I lost my believe in humanity. People knowingly hurt their companies effectiveness and prosperity just to improve those numbers. And they get rewarded for it.
First blame the thief. But then in the same breath blame the manufacturers that refuse to sell cars with meaningfully working locks. If you understand the tech many car companies keep selling cars that have locks that are about as secure as a zip tie.
I remember one of my seniors at work asking me how open source software manages to develop so much without a direct monetary incentive.
"There’s no lack of resources to give everyone everything they want." <- is the point.
Our civilisation has enough people who like coding, willing to put their spare time into OSS, to be able to get good quality tools for use in all fields.
Now all we need is for all of those people to be given enough spare time without having to worry about things like mortgages, loan payments and basic survival in some cases and everyone can profit (including the companies who would be giving them the spare time).
Oh right, forgot about this little thing. Had my eye it long time ago, but forgot about it. Thanks for reminding me Canada. Should probably read up on Streisand effect.
This is about more than just cars. Anything that uses RFID, NFC, etc, such as an employee badge or even contactless credit/debit card payments, are vulnerable to such an attack.
Regardless of whether it's open source hardware/technology, should we be authorising sales of such prebuilt devices for $170 which can allow the average Joe to break into an office or steal a car?
I'd argue that these devices are so cheap and so capable that it exposes the poor security that is rampant everywhere. Banning them wont stop similar devices from being made and used criminally. Instead this should be a wake up call to everyone about which forms of communication or authentication are largely ineffective.
did you read the article? the flipper can essentially "break into" next-to no cars produced after 1990
Should 'we' be 'authorizing sales' is an interesting choice of words imo also, nothing negative just saying it made me question who the "we" part really is, and if something being sold has thus been authorized by some all powerful body
It seems like maybe the problem is that automakers were able to widely market vehicles that use wireless protocols that are relatively easy targets for attack. This was never properly secure.
Automakers should absolutely be held to higher standards (in general) than they are, and it's not likely that banning specific devices is going to have any measurable outcome here. It's pretty well known that people buy and sell malware, and people can just... make devices similar to a Flipper with cheaply and readily available hardware.
This is just dumb posturing to avoid holding automakers and tech companies accountable for yet another dumb, poorly thought out, design feature.
And obviously it doesn't stop at cars. It seems pretty clear that snooping on any feature using RFID or NFC tech is only going to become more widespread. Novel idea: what about using... actual keys as the primary method of granting physical access? Lock picking is obviously possible but a properly laid out disc-detainer lock is pretty goddamn hard to bypass even with the proper tools, and that skill can't just be acquired in the same way as with electronic methods of bypass.
I could care less about cars, but this thing has hacked glucose pumps and led to a St Jude's pacemaker recall, so fuck em. People can have their toys back after manufacturers of literally everything are better regulated. Until then, it's a weapon.
I'm not here to present my thesis, and even if I were then proving something doesn't exist would be a stupid waste of time as absence of evidence is not itself evidence. I've already presented multiple specific breaches caused after the availability of Flipper Zero. You have Zero legs to stand on in this argument.
It's a multi faceted blame. Yes, you blame the hardware that's helped used to commit the crime, then you blame the people using it to commit the crime, then you blame the people still allowing it to be done. Look at America for example. People use guns to kill children in schools. Then you blame the person for committing the crime, then you blame the politicians who refuse to make it harder to get a gun
The problem is where does the line end? I can use a Mason jar, metal bits, and some simple household chemicals to make a shrapnel bomb like they used in the Boston Bombing. Should we ban Mason jars? I can additionally buy a dozen consumer drones and then attach those shrapnel bombs and fly them into a crowd at eye level - making the Boston Bombing look tame in comparison.
Are we to ban drones? I can use basic household cleaners to make mustard gas, I can get cyanide from regular items, I can take my car and drive it into a group of children waiting for the bus.
If someone wants to commit a crime, they are going to find a way. There's a line where we have to look and say - the costs of living in a free society means that individuals have the capacity to commit crimes. If we get rid of the capacity to commit crimes entirely, we would have also necessarily gotten rid of the free society.
I don't get these arguments. These tools aren't weapons, and limiting legal access to pentesting tools will decrease corp's and individuals' ability to be proactive about security.
These devices can be manufactured relatively easily and making them illegal will essentially mean the only people doing security tests are criminals. Large tech companies, correctly, run bug bounties where independent security researchers can make income by reporting reproducible and exploitable bugs. The concept here is called offensive security and it's extremely important for building better and more secure platforms. This situation will never be improved by limiting legal access to useful testing tools.
The responsibility should be on automakers and other companies that have massively insecure products, not on open source developers who are making products for security researchers.
The whole "these can be used for high scale crimes" argument is straight up fearmongering. One or two people have reverse engineered the remote protocol on one or two specific models of Volkswagen car, and, after listening to the car being locked and unlocked several times using a laptop and $500 SDR, can reconstruct a signal to unlock the car. When a cybersecurity professional figures out this is possible at all, it makes the news.
If your car can get broken into by any random script kiddie with a Flipper Zero, sue the car company for gross negligence.