this post was submitted on 09 Sep 2025

145 points (91.9% liked)

Technology

75103 readers

2216 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

L4s@hackingne.ws

145

Flipper Zero, Car Thieves, and a Brewing Security Crisis: What’s Really Going On? (www.carsandhorsepower.com)

submitted 4 days ago by Changelin@discuss.tchncs.de to c/technology@lemmy.world

28 comments fedilink hide all child comments

Underground developers are selling Flipper Zero “car unlock” packages for hundreds of dollars, complete with a PDF listing targeted makes and models and whether the hack enables only door unlocks or full start/drive.

all 29 comments

sorted by: hot top controversial new old

[–] lefixxx@lemmy.world 31 points 4 days ago (1 children)

The blame falls on the car companies (and the thieves ofc)

They are still using rolling code technology when public private key exchange exists from the 70s. The have stagnated from anti theft technology while being in the bleeding edge of DRM and data collecting.

they profit from rediculous keyfob prices when a 2$ microcontroller can do the job

they have locked down the car so its impossible to modify

they are not doing recalls to patch the vunorabilities

they have lobbied against security research and threatened researchers with litigation

[–] interdimensionalmeme@lemmy.ml 5 points 3 days ago

They want to lock us out of our car by putting shitting 1970s technology in their cars. We could have x509 certificate and contact less smartcars that bank use and cost pennies. But no, rolling codes OR "dealership only 1000$ per service" for anything access control related. That's the plan

[–] panda_abyss@lemmy.ca 83 points 4 days ago* (last edited 4 days ago) (2 children)

None of this needs to happen. Frankly insurance companies need to be holding the car manufacturer's feet to the fire by not insuring cars that can be trivially stolen like this. If a Flipper Zero can steal a car that is 100% on the car manufacturer.

If a tiny yubikey can generate cryptographically unique keys so can a car key fob.

It would not be that difficult to design a key fob which pairs with the car wirelessly (just like Apple uses for AppleTV and Apple Watch).

Literally all you need is:

Car has private/public key pair (which can be reset by technicians, but requires physically opening up the car)
Sync keyfob to car -- keyfob generates unique key pair, keyfob shares public key with car.
When the keyfob communicates with the car, all signals to unlock or start are cryptographically signed, then the car sends a token to authenticate and confirm the instruction.

If anyone complains about battery life just make the fob rechargable instead of the annoying shitty battery change process. You can even make a charging port in the car (where they keyhole used to be, or in the wireless charging tray).

Plus this can be extended to phones with zero trust and no need for external infrastructure or violating user privacy.

[–] pivot_root@lemmy.world 24 points 4 days ago (2 children)

Frankly insurance companies need to be holding the car manufacturer's feet to the fire by not insuring cars that can be trivially stolen like this.

The governments should be, too.

Instead, some countries are taking the approach of banning Flipper Zeros or restricting their sale instead. That's like outlawing flathead screwdrivers because you can use them to pop improperly-installed doors off of their hinges.

It's on the car manufacturers to fix their poor security, not on tool suppliers to not make tools.

[–] panda_abyss@lemmy.ca 14 points 4 days ago (1 children)

Yeah, you can ban flipper, but then someone is going to use a raspberry pi zero with a SDR hat, or an arduino, or an old android phone, or a wifi router and battery pack.

[–] martinb@lemmy.sdf.org 4 points 3 days ago

Ban electrons!

[–] SaveTheTuaHawk@lemmy.ca 3 points 3 days ago (1 children)

car manufacturers to fix their poor security

"oh no, your car got stolen....here's another car for you to buy"

We need a global system of digital ID that simply bricks any car reported stolen.

[–] JcbAzPx@lemmy.world 5 points 3 days ago

Yeah, because there's no way remotely brickable cars could ever be abused by the manufacturers.

[–] Broken@lemmy.ml 15 points 4 days ago

insurance companies need to be holding the car manufacturer's feet to the fire by not insuring cars

I agree with the sentiment, but unfortunately that screws over the owners far more and for far longer before it even impacts the car manufacturers.

Maybe a better attack (aside from government regulations) would be banks to not provide financing for loans to buy those cars. In the end, if the car is stolen they are at a loss so that makes sense.

People can't get loans, so don't buy the risky vehicle. It hurts a little in the now to direct them towards cars that will not be a problem in the future. And the car companies feel the sting of lost sales right away.

[–] Treczoks@lemmy.world 34 points 4 days ago

Well, shit happens if you let people develop security protocols without experience. But the car industry saved money by this.

[–] MangoPenguin@lemmy.blahaj.zone 7 points 3 days ago (1 children)

Sounds like poor design on the manufacturers part if a $20 microprocessor and radio can break into a car.

[–] phoenixz@lemmy.ca 4 points 3 days ago

Ding ding ding

It's just manufacturer managers going to the el cheapo solutions, which gets them the bonus they way, then the leave. Then it's surprised Pikachu face time when the entire system stinks and is worthless

[–] czl@lemmy.dbzer0.com 41 points 4 days ago

The shitty website is riddled with redirect ads.

Here is the archive https://web.archive.org/web/20250909120542/https://www.carsandhorsepower.com/featured/flipper-zero-car-thieves-and-a-brewing-security-crisis-what-s-really-going-on

Tl;dr not a lot more on the article than the headline says.

[–] SaveTheTuaHawk@lemmy.ca 8 points 3 days ago (1 children)

all because people don't to burn a calorie twisting a metal key.

[–] frezik@lemmy.blahaj.zone 5 points 3 days ago* (last edited 3 days ago) (2 children)

It's not like keys were some kind of unbreakable security, either. In fact, I think their shitty electronic security is actually an improvement.

[–] JcbAzPx@lemmy.world 4 points 3 days ago (1 children)

Jimmying a lock is a lot more skill and effort than vaguely waving a device in the general vicinity of a car.

[–] frezik@lemmy.blahaj.zone 1 points 3 days ago* (last edited 3 days ago)

Not really. A lot of those locks were breakable by jamming a screw driver in.

Edit: this thing works on replay attacks. At a minimum, you have to catch the signal while the owner presses the button.

[–] ArcaneSlime@lemmy.dbzer0.com 2 points 3 days ago

I'ma be honest, a wedge, a puffy bag, and a fancy stick is like $20 at every auto store and works just as well on those fancy doors as it does on keyed ones. If someone wants in they'll get in.

At least the electronic ones ostensibly can't be hotwired though, supposedly. Not sure how much I believe that though.

[–] AmazingAwesomator@lemmy.world 31 points 4 days ago* (last edited 4 days ago) (1 children)

owning a hammer is not a crime, bashing in a car window with it is.

also, it is currently illegal for car owners to put custom firmware in their cars & there is no open standard to allow 3rd party software. all stolen cars should be refunded by the manufacturer for forcing us to use their shitty soft/firmware.

[–] IphtashuFitz@lemmy.world 15 points 4 days ago

Part of the problem is how insanely complex modern cars are. Modern cars can have 30+ different ECUs, and knowing which ECU does what can be difficult to figure out. Programming ECUs is also a bit of a dark art, and a model line of cars can go through a number of ECU versions over time.

I used to own a car that the battery regularly died on. Eventually, after multiple dealer visits, a couple replaced batteries, and hours of internet research, I found two service recalls that described my cars symptoms perfectly. The problem for me was my cars VIN fell outside both recall notices. But I took printouts of both recall notices to a dealer and they agreed to look into it. They confirmed my car had buggy firmware, annd ended up installing updated firmware on two different ECUs. I never had a battery problem again after that. I’ve worked in tech for 30+ years and I wouldn’t have wanted to tackle that on my own…

[–] Jode@midwest.social 31 points 4 days ago (1 children)

Can do with a 100 dollar flipper zero? Maybe I should get one of those instead of paying VW 400.00 to replace my broken fob.

[–] BlackVenom@lemmy.world 1 points 4 days ago (3 children)

They're $200, no?

[–] Sm0ke@lemmy.dbzer0.com 3 points 4 days ago

Yeah, they cost $200. Unless this guy has a hookup 👀

[–] interdimensionalmeme@lemmy.ml 1 points 3 days ago* (last edited 3 days ago) (1 children)

It's a 3$ esp32 with a 3d printed case and a 1$ LCD

https://github.com/flipperdevices/flipperzero-firmware
https://github.com/djsime1/awesome-flipperzero

[–] ArcaneSlime@lemmy.dbzer0.com 1 points 3 days ago

But the firmware that can do this:

A) Still desyncs your real fob

B) Still has to read a signal from the fob, you'd have to do that before your OG broke.

C) Costs like $2000, is serial locked to two flippers, and is being sold sketchily by a guy recently released from prison who has no accountability not to scam you.

[–] floquant@lemmy.dbzer0.com 0 points 4 days ago

The original Kickstarter price was around 120

[–] frongt@lemmy.zip 23 points 4 days ago

Companies whose primary product isn't security are shit at security. What else is new?

[–] waddle_dee@lemmy.world 4 points 4 days ago

I feel like this is mostly fluff. 404media had a better report on this.