> Security tools like Flipper Zero are essentially programmable radios, known as Software Defined Radios (SDRs)
The Flipper Zero is not a SDR, it is less capable than that.
That's the ironic part, the Flipper Zero is a rather weak hacking tool.
It can open car doors, but it is so impractical that it is not much more than a party trick. You have to record the code by pressing the button on the keyfob out of range of the car and in range of the Flipper. You can then open the door to the car, once, and only if the owner didn't open it first. There is a more advanced and maybe practical attack called rolljam, but I don't think the Flipper is capable enough to do that.
The only thing is that the Flipper Zero is fun, cheap(ish), and popular, but real thieves already have better tools for their job.
This came in handy for me once when I locked myself out of a u-haul in what used to be a rough neighborhood in New York. I was standing there fishing with a coat hanger trying to figure it out when a gangster looking dude came up and was like "here, let me help you with that," and 3 seconds later had the door open.
There is (was?) a tool called a slim Jim that was basically a purpose-built coathanger for unlocking doors.
There was some talk of banning them in some areas, because people love treating symptoms rather than causes.
Nowadays the tow truck drivers have a little inflatable bag they slide into the top of the door and inflate so they can press the unlock button from the inside. Quite effective!
Intentions sometimes matter. There is a South African shotgun aspirationally named Street Sweeper, and it's famously classified as a Destructive Device in the US, which is two levels more strictly controlled category, AIUI, IANAL, than a manually operated Gatling gun.
FZ is intended to clone keys and bypass security, I suppose in significant part for users' lawful convenience, but is kind of intended to do what it should not.
Coat hangers aren't engineered with intent to be shoved into the weather seal on a door.
I locked myself out of my car so often I ended up wedging a coat hanger under the rear bumper. You're right: car doors used to be trivial to yank open when you knew the trick. These days I'd love to create a little side project that sets the alarm off on my car any time a relay attack is detected. I'm sure Mark Rober or someone will end up doing it.
I suspect, in part, that this article and people pushing for a ban wouldn't have even noticed the Flipper Zero if it didn't look like a toy. The case design looks like some advanced Tamagotchi and places in a more accessible part of the lowest-common-denominator mind. If it looked like a raw PCB and wires, or some rats nest jumble of little components, it wouldn't catch their attention as much. There is a lot to be said about how we package our hack tools, and the second you move into "magic box go brrrrr" territory, suddenly it gets real to those outside technical circles.
The Flipper Zero is not certainly the problem here, and it is not a proper SDR tool as said. But I believe it's technically interesting that the Flipper Zero uses the CC1101 inside the Flipper in a more powerful way. The chip can be configured to just report in a given pin the actual OOK/FSK state (logic high/low). The same can be done while transmitting. So the Flipper is not limited to the protocols/formats supported by the CC1101 during normal operations, but can do any protocol as long as it is within the frequency range and uses OOK or FSK modulation (or the FSK variants supported).
Sooo they have been stealing Infiniti's from my area recently with relative ease allegedly by using a Bluetooth obd2 reader connected to an android tablet running a pirated copy of some Nissan service tech software.
Nobody from any of the Infiniti groups is 100% certain how they are doing it, but the best theory out there is above.
Just the other night, a crew of dudes stole 3 Q50’s from my neighborhood with relative ease.
Well for one thing the OBD port shouldn’t be designed so that it has direct access to any useful CAN bus. It should go to a gateway that requires authentication to do anything except read OBD, and all of the IDs that you are allowed to send should be whitelisted.
The issue people are mentioning with the headlights is easily solved by just moving the starter CAN to its own CAN bus between the immobiliser and the ECU (physically isolating the headlights), which costs about $5 total and requires no crypto unless thief is willing to cut the car nearly completely in half.
(The problem with crypto is the $10 safety MCUs used all throughout cars are only like 20MHz and they can’t really do the 2000+ crypto ops/sec on top of their current workload. Also the tooling support for crypto ATM is really poor in the model based design tools that are used for this safety relevant SW)
BTW I personally don’t believe that anything that involves cutting into a vehicle is negligence of anyone. I mean, from my perspective, anyone can just pop the hood and drive the car with their own BYO ECU. It’s just a hunk of metal and once you start cutting it up you can make it do whatever you want.
Yes, the simplest solution sometimes really is the right one. Cheaply isolate sensitive targets from easily accessible areas. Your $5 solution is enough to avert these issues, and makes the attack a lot more expensive. The job is to find a "lever" where you only have to put in a little effort (say $5 worth) but which causes the thief to have to put in a lot of effort (cutting the car in half). The better the "lever", the safer the design.
I agree fully with this, except for the fact that this then makes devices like the Comma (comma.ai) impossible. The hacker in me really wants to be able to send steering signals by plugging something into my car :)
The solution is not that complicated, just route the wiring harness on a location not easily accessible from the exterior of the vehicle. There’s nothing that can stop thieves just delay them enough to increase their risk to be discovered.
See all that time the thief spends near the drivers side headlight? The headlights are on the can bus, if you can tap a couple wires in there the cars is yours.
Genuine question - why do headlights need to be on the main CAN bus? Could they not be operated from somewhere closer to the ECU by wires that just carry power and maybe some very simple data lines?
All CANBUS packages that are useful to drive a car should be encrypted using a public/private key that is in the owner key. Decryption chips are cheap and fast.
Put the powertrain lockout system on a signed and physically protected network segment. Let the headlights, mirrors, etc live on a less secure segment.
This will impose higher costs when replacing these systems, because it will require key management of some kind. Either central cert management (with 20 year expiry?) or local key management. So only impose this on a tiny subnet for the starter/immobilizer.
Perhaps the OBD port should only work when the car is validly unlocked and the engine immobilizer accepts a key? Maybe it could stay unlocked thereafter while a device is connected?
Android (adb) and iOS (iTunes backup) have solved this issue
years ago.
You don't protect the wiring, you protect the start protocol. Similar to asking "Can we protect the internet by protecting the ethernet cables?"
Put a public key on the engine controller, have it challenge the key with a random start number, have the key respond with the signature of that number, engine starts.
We had a specialist shop in the same area. You can disable Security+ with uprev.
Hell we would even use it to remove engines from nissans to make them run in whatever we put them in without the ignition. I can make the start signal just come from a momentary push button.
Locksmiths can make new key fobs for nearly any car with access to the OBD2 port and the right software (though I don’t know if it requires a connection to the manufacturer)
I don't know if I have a clip of it still but that was nowhere near as fast as my neighbor's range rover being stolen during pandemic, broad daylight, four hoodies walk into our car park (flats) and walk out of camera view, 30 seconds later they're driving the range rover past the camera view and presumably rammed the gate we have (since it was broken).
Both car manufacturers and police are useless and it's fucking inexcusable, imo.
I will never, ever keep a car I care about outside anywhere near the city.
I know everyone doesn't have the funds for that, but I'm sorry, we all know how rampant car thefts have gotten since before those 3 Q50s in this video were even purchased. I live in the busiest neighborhood in downtown Denver with which has rampant property theft, cats cut out etc non-stop.
I own 2 vehicles and neither of them are ever parked outside if I can help it. It means I have to pay pretty much twice for rent because now I need a 1-2 car private garage, which means I'm probably now in a condo or townhouse so every expense just gets higher and higher.
But you're in the bracket of living downtown with a brand new Q50. So I don't care what your excuse is, buying a luxury/attention-getter car and parking it outside in cities with rampant car thefts is just absolutely stupid.
Especially the people who buy the $80k luxu-box with the $5k 22" wheel add-on that gets ripped out of their mid-rise apartment parking garage a day later.
I've had a car stolen and insurance does NOT treat you well when it happens and I never, ever want to deal with having a car stolen again no matter how much gaap/etc. I have.
Some of the issue here is that it’s actually a pretty nice area here in Baltimore, but our police force is currently understaffed and overworked.
One big issue here regarding policing is that our city elected officials can’t tell the city police force what to do.
You see, when the civil war broke out, the state took control of the police force so that the mayor couldn’t lead a confederate coup.
Flash forward to today, and those powers still have never been returned to the city. The mayor and city council set the police budget, but the chief of police takes direction from a state run board.
So there is a big disconnect between citizens voicing concerns to city council members, and those members only ability is to “talk to the major”.
When the cats away, the mice will play off with some stolen cars.
It would be trivial to hard wire a kill switch to your fuel pump and have it hidden somewhere so no matter what thief’s can’t drive off with your car. Much cheaper and more secure as cars can be stolen from parking garages.
- it's incredibly stupid to ban the flipper zero because it's factually not even part of the problem
- but it's equally stupid to "ban insecure vehicles". if kia makes a cheap car with crappy locks either don't buy it (because maybe insurance) or add and aftermarket immobilizer or a steering wheel lock. if it was really negligent of kia to "save a couple bucks", then it's equally negligent on you for not spending a couple bucks.
- i also cringe at the idea that we throw the word negligent around when talking about failing to prevent other peoples crimes. i'm not negligent for not doing enough to prevent the crimes of some other asshole. nor is kia. meanwhile, there's sibling threads here that point out that the us is far to hard on the criminals. so wait - kia and me and other law abiding entities are "negligent", but the asshole who stole the car deserves compasion, etc.?
- it's stupid-on-stupid-on-stupid to sit here discussing the problem of car thefts, caused by lack of enforcement of the existing laws against it, and the proposed solutions is making more things illegal (and arguing about which things).
Nobody knows a vehicle is insecure when they buy it. It's simpler, more cost efficient, and more valuable to society just to require cars to have basic security features. Your idea of market correction doesn't work in this case, because it's never advertised as having shitty security, and the average (or even informed) consumer will have no idea this is a problem until after they've bought the car.
I never understand this arguement. I hear it in the form "we should just regulate cars to be safer", why dont you just buy a safer car? "What do you take me for? I got a mustang GT, the last thing that car is worried about is safety". Interesting, you bought a car because its fast, not paying any consideration to whether it could safely get you from point A to B, and this is what you rely on to get you to work?
Its not social darwinism, the lack of critical thinking skills among the general population is alarming. Americans have apparently been coddled to the point that they arent worried about basic needs; if you go to buy a car you should have some simple considerations, is this car safe? What are the typical maintenance costs? Is it common for this car to be stolen?
Things like, housing, transportation, education, those are really central aspects of peoples lives. Its all well and good that you want to draw symbols on paper and make all these things safe, but it appears to have come at a pretty serious cost. That cost, is the inability for the US population to use critical thinking.
i think this issue is overblown and is being used as a smokescreen for the rash of vehicle thefts caused, not by bad kia security, but large-scale organized crime.
Should other physical objects also be subject to this same regulation? What about bitcoins? Your proposed response is unsuccessful as policy reasoning.
In the age of information ignorance is no longer an option, Before I buy a car, most often the second largest purchase a person will make in their life next to housing. I do i TON of research, I look at insurance rates, I look at Theft Rates for that model, I look on Car Complaints and other Database for common failure items for that model, I have it inspected by a independent mechanic having them pay extra attention to the common failure items. etc
If you just roll in and let the salesman take you for a ride then you deserve the outcome.
> if kia makes a cheap car with crappy locks either don't buy it
Immobilizers were a standard feature on cars for decades. If you went to buy a car, no one was putting immobilizer on the list of features, and they certainly wouldn't let you try breaking the ignition lock on a test drive.
If they had advertised that their vehicles were insecure, then sure, it's on the buyer, but they didn't.
it'd be bad to advertise that they have in immobilizer or anti-theft when providing either nothing or a badly broken implementation (like you often see in IOT).
it's not negligence to simply not provide a feature they didn't promise to provide and weren't required to (in the US). it is simply not their responsibility in any way to ensure your car's safety from theft. if you assumed it was and that they provided a feature you wanted because everybody else usually does, then the negligent party would be you for not RTFM. except that's wrong here too.
nobody is negligent here. you do not have a social responsibility to have an immobilizer on your car to prevent it from being stolen. and neither does the manufacturer. having it locked is plenty to legally make it "breaking-and-entering". and even if you leave the keys in the car and the engine running, it's still grand theft and your insurance will indeed pay out, which they would not do if they could claim negligence. the criminals are 100% at fault here. and bad things can happen without someone being negligent.
arguing about anything beyond that is just a fight about how good that anti-theft system has to be. are you negligent if you don't have an armed guard on your car?
Speaking as an outsider: How are Kias sales going these days? How's their reputation as a result of this?
Imo for removing security for the US market they deserve to be properly thrashed and dragged through the mud, regardless of the fact that they are offering upgrades from free if I read the following correctly.
> i'm not negligent for not doing enough to prevent the crimes of some other asshole.
If you entire job is selling locks and they don’t prevent crime, then it’s not negligent, it’s fraudulent.
You want to be in the clear? Sell a car without a lock, see how many people buy that.
> if kia makes a cheap car with crappy locks either don't buy it
And if Boeing makes a cheap, unsafe plane, don’t fly on it
I would be happy to run this experiment if lying to a customer about safety/properties of your product led to capital punishment. But currently companies will simply defraud you by lying about their product, and suffer no consequence
> If you entire job is selling locks and they don’t prevent crime
Does MasterLock making famously easy to pick / rake locks count? I'm sure they reduce crime compared to no lock but they are not as secure as the customer expects.
> And if Boeing makes a cheap, unsafe plane, don’t fly on it
yes. exactly. if boeing ever makes a cheap plane, i would definitely avoid it.
you are comparing a company that cheated on legally mandated safety requirements with a company that didn't put a non-legally required car immobilizer on a lot of their new cars. and then didn't lie about it.
The problem occurs when a vendor makes claims that are false or fails to disclose known issues. I don't think either insecure cars or security tools should be banned. However, I think disclosures should absolutely be made.
Nobody is mentioning about how this is a social problem with the US that needs fixing, for example I often times forget to lock my car's doors in the Eastern European capital where I'm living and yet I've never had anyone "steal" stuff from it.
But I get it, it's easier to think about applying technological or even legal solutions instead of thinking about how to fix a societal problem.
Yup, and you get downvoted for even trying to discuss it. Need the Overton window to shift slightly so it can be discussed on HN.
It is a societal problem and I hope for our future we can fix it.
A tool is a tool, it doesn't make the product weak, it already was.
Also it is silly to ban insecure cars, that's quite the slippery slope. If the cars are too easy to steal insurance will increase accordingly and that will provide incentives to fix that without banning anything.
Hrmm I wonder what would happen if I made a bank that used an unencrypted website for online banking lol.
The problem with your solution here where the insurance company raises rates... yea they already did that with regards to Kia/Hyundai cars and Kia Boyz thefts. The problem is, well, put it this way...
The last time you bought a car, did you check that the car had immobilizer software/hardware present on it? They don't really advertise that stuff anymore. About the only way you'd know on some brands is a nondescript red dot that shows up for a moment when you start the ignition.
Really, I'd bet a lot of people only found out their car didn't have an immobilizer feature until their insurance company dropped them or jacked their rates up... and that's a problem. See, you can buy a car NOW, and everyone thinks it's a good safe car.. until it turns out it wasn't.
> If the cars are too easy to steal insurance will increase accordingly
that's exactly right. i was somewhat surprised that insurance was outright dropping people instead of simply increasing rates. and by the way, you can get a discount if you add x/y/z security alarm/immobilizer. the public outcry already has forced the issue with kia anyhow.
>- i also cringe at the idea that we throw the word negligent around when talking about failing to prevent other peoples crimes. i'm not negligent for not doing enough to prevent the crimes of some other asshole. nor is kia. meanwhile, there's sibling threads here that point out that the us is far to hard on the criminals. so wait - kia and me and other law abiding entities are "negligent", but the asshole who stole the car deserves compasion, etc.?
It's pretty simple: if some car manufacturers have much higher rates of theft and are easier to steal than others, they are negligent. If by catching up to industry-standard anti-theft practices, their cars become harder to steal, not doing so is negligent.
for example, if a company made a car alarm called "SUPER EXTRA SECURE ELITE++ V5" and told me it had a "guaranteed thief proof" immobilizer. but then we find that a viral Tik Tok video shows how to with a hairpin and spit we can completely disable it and in 5 seconds and take the car for a drive and access the owners credit card info. and then also the car often bursts into flames while parked and turned off. and we of course find out that this was no "oops" and the corporations involved full-well knew about these issues and hid them to get a bonus. well, that'd certainly be a job for consumer protection laws.
but this is a case of "you got what you paid for". there's a place in the market for crank-up windows and basic plain cars without keyfobs and fancy alarms. that isn't wrong, and it definitely isn't "negligence" just because other carmakers pick different places in the market. and the fact that criminals do bad things doesn't change that.
and, thank you very much, i don't need consumer protection against that kind of thing. let's start with the lying and cheating corps and work our way up to collusion and price fixing. then let's get onto repair...
Ignoring the strawman of an assailant deserving compassion or not, that’s a self serving and narrow definition of negligence. Any mechanism to protect from misuse has to weighed against the magnitude harm of the event occurring and the possibility of misuse. I would not expect my asset manager to have weak authentication systems to access my portfolio but don’t expect any at all from a free online game. I expect both of these to consider the threats and make reasonable choices. And they would be negligent if they did not do this exercise. Whether is an active threat or a passive act of god.
Sure "don't ban anything", if your car crashes and kills you, "should have read Consumers' Reports". Those botulism eggs? Keep an eye things, damn it. /s
This ill-informed attitude goes over well here unfortunately.
And security may not be quite as pressing safety but poor security cost society besides costing the individual. When poor workers can't get to work 'cause stolen car, their bosses also suffer, when stolen cars are used in further you also get a social cost. etc.
You provide no structural basis or reasoning for these cynical assertions, nor for the implied responses. Seems to be founded on a philosophical foundation of individuals requiring safety from “elsewhere,” and assuming that “elsewhere” actually provides it.
Security flaws are not born equal. I think there is supposed to be a clear distinction between flaws inherent in technology -- since you only know what you know nobody should be expected to develop impenetrable digital fortresses since that doesn't exist and would actually be harmful for the consumer -- and those flaws born out of neglect. The latter should be specified and treated accordingly, because it isn't a valid excuse that technology can't be 100% secure that the industry should accept poor standards.
Also, Flipper Zero can be made DIY, so I don't know if I get it, but the law will be DOA, and actually work against the democatization and awareness of such flaws by the public.
Serious security thinkers evaluate according to factors of likelihood,
impact, mitigation cost etc.
A car is a dangerous weapon, especially in the hands of a group of
giddy kids, maybe drunk or way too high to drive. The likelihood of
someone getting seriously injured or killed by joyriding is high.
It's really high. And there's no mitigation to a dead child. The
penalty? A very firm "please don't do that again!"
But then a kid like Aaron Swartz downloads some files and gets nine
felony counts totalling 50 years in jail and a $1 million fine.
A justice system with these values has no concept of risk and
proportionality and is beneath contempt.
> especially in the hands of a group of giddy kids
Also the scenario where it's being used as a disposable battering-ram to smash into a store. (As you might expect, those are the stolen cars with lesser potential resale value.)
I should say I drive a twenty year old car with an immobilizer chip and basic logic sounding the alarm when someone breaks a window to open a door. As far as I can tell, that makes it very secure. So it seems like the onus in the car manufacturers to create a vehicle at least as secure as this simple system.
There is a big difference in putting together deadly artifacts and electronic devices you can fabricate using off-the-shelf chips and open protocols. Not saying you can't discuss regulating them, but to me they are in a different set of categories. Weapons are by default dangerous, their sole purpose being to cause physical harm, while a flipper zero can be used for instructional purposes and research.
As much as I hate the concept, it would be ridiculous for me to propose regulating Alexa because a kid can cause financial harm to the parents using it, but a weapon can't be in any imaginable circumstance reachable by anyone untrained.
One of the authors here. Someone just told me we were on the HackerNews front page, made me happy we just went with a static website on GitHub pages.
I will go through the comments later, but for now, if you are Canadian, please get in touch with your MPs.
I am working with some media as well for additional coverage in the next week, but if you know Canadian journalists that might be interested in this, please get in touch with them, educate them directly if you want or send them to me (my LinkedIn is in the signatures, the first two names in bold = authors).
If the environment can be presumed to contain at least one wolf, then building houses out of straw and sticks is considered negligent and lazy pigs deserve to get eaten.
Responsible pigs who build from brick, sacrificing some profit in the name of security, are celebrated for their sound judgment and foresight.
A fairy tale has been telling us this for at least 200 years and probably much longer, history is unclear on how far back it goes.
It's amazing seeing this thread take the side of the negligent lazy pig. "But my thousand-dependency framework is mostly made of straw!", they say. "My boss won't give me time to even use sticks, much less brick!", they say. "It has to be this way!", they say.
The argument for the Flipper Zero is that it's an independent building inspector.
People are being sold houses where the builder says they're made of brick, and if not for this product, the pigs might live in a house believing it's brick until a wolf blows it down and reveals a thin layer of stucco over straw.
The home sellers are saying "but wolves and building inspectors alike can use this tool to blow down houses!" (porcine building inspector use rather crude inspection methods). But it would be irrelevant if the houses were made of brick and not straw.
It's not about lazy people versus diligent people, though. The companies are blaming the wolves, and arguing that they don't need to fix the issues since only the wolves threaten us (right now). That is a bad security model, and with or without Flipper Zero it will fail.
At this point, banning security tools a violation of the second amendment.
Microsoft suffers breach after breach after acquisition after acquisition. I verbally note them to my wife to remember, "This is not normal." and even she said, "Why do the numbers keep getting worse and worse." and I told her, "The database keeps getting larger and larger ever since they were only slapped on the wrist for not letting me boot straight to firefox since childhood."
If you took away my ability to understand why the world around me is failing, we'd fall into further disrepair than we already are and we're not really allowed to repair anything, now are we?
I'm struggling to connect how the banning of security tools would be a violation of the (US) second amendment.
A violation of the first, fourth, and ninth? I can see that. A propensity to violate the fifth? I can see that. But I can't see a strong connection to the second.
A way of looking at the second amendment is as a reduction in imbalanced power structures. Its purpose, depending on how you read it, but as practiced in the US, is to put the citizenry on more level footing with the government so the government doesn't get too excited with their power.
Security bypasses/tools/exploits in that context are useful for leveling the playing field in a conflict, for instance we know the NSA is hoarding them for militaristic purposes. So if we call them cyber weapons rather than security tools it starts to make sense that, per that reasoning, citizens should have access to them too.
There was a point in the US where encryption was barred from export based on arms export laws. Lots a pretty famous open source stories from such. So it's not far fetched at all for the most part.
Though this is in US law, not Canada as related to the news story.
Someone once stole my grandfather's car with a screwdriver. The ignition switch was broken off (probably with a hammer), and the starter could be actuated with the screwdriver. I don't remember how long he drove it that way.
Banning the tech is a bandaid to deeper problems. It's also great advertising that these tools are effective.
Readit News
The Flipper Zero is not a SDR, it is less capable than that.
That's the ironic part, the Flipper Zero is a rather weak hacking tool.
It can open car doors, but it is so impractical that it is not much more than a party trick. You have to record the code by pressing the button on the keyfob out of range of the car and in range of the Flipper. You can then open the door to the car, once, and only if the owner didn't open it first. There is a more advanced and maybe practical attack called rolljam, but I don't think the Flipper is capable enough to do that.
The only thing is that the Flipper Zero is fun, cheap(ish), and popular, but real thieves already have better tools for their job.
There was some talk of banning them in some areas, because people love treating symptoms rather than causes.
Nowadays the tow truck drivers have a little inflatable bag they slide into the top of the door and inflate so they can press the unlock button from the inside. Quite effective!
FZ is intended to clone keys and bypass security, I suppose in significant part for users' lawful convenience, but is kind of intended to do what it should not.
Coat hangers aren't engineered with intent to be shoved into the weather seal on a door.
Note: I’m not advocating banning the flipper zero anymore than I’d advocate banning lock picks. I just don’t think the analogy is apt.
there you go, letting logic get in the way of a politician looking to score points
Nobody from any of the Infiniti groups is 100% certain how they are doing it, but the best theory out there is above.
Just the other night, a crew of dudes stole 3 Q50’s from my neighborhood with relative ease.
Here is the ring cam video my neighbor posted:
https://video.nest.com/clip/8ef4d060588d4c7289f87cccb00cb55a...
The issue people are mentioning with the headlights is easily solved by just moving the starter CAN to its own CAN bus between the immobiliser and the ECU (physically isolating the headlights), which costs about $5 total and requires no crypto unless thief is willing to cut the car nearly completely in half.
(The problem with crypto is the $10 safety MCUs used all throughout cars are only like 20MHz and they can’t really do the 2000+ crypto ops/sec on top of their current workload. Also the tooling support for crypto ATM is really poor in the model based design tools that are used for this safety relevant SW)
BTW I personally don’t believe that anything that involves cutting into a vehicle is negligence of anyone. I mean, from my perspective, anyone can just pop the hood and drive the car with their own BYO ECU. It’s just a hunk of metal and once you start cutting it up you can make it do whatever you want.
I am an automotive systems engineer.
They do crouch an awful lot near front wheel well. Reminds me of this Toyota hack where thieves plug into headlight canbus wiring thru wheel arch https://kentindell.github.io/2023/04/03/can-injection/
So the question is: how should the OBD-2 plug (or wiring) be protected?
https://www.amazon.com/Tune-Saver-OBDII-OBD2-Lock/dp/B0BRF5D...
This will impose higher costs when replacing these systems, because it will require key management of some kind. Either central cert management (with 20 year expiry?) or local key management. So only impose this on a tiny subnet for the starter/immobilizer.
Android (adb) and iOS (iTunes backup) have solved this issue years ago.
Put a public key on the engine controller, have it challenge the key with a random start number, have the key respond with the signature of that number, engine starts.
You can do that challenge over the can bus.
We had a specialist shop in the same area. You can disable Security+ with uprev.
Hell we would even use it to remove engines from nissans to make them run in whatever we put them in without the ignition. I can make the start signal just come from a momentary push button.
Both car manufacturers and police are useless and it's fucking inexcusable, imo.
Deleted Comment
A brand new $60,000 car shouldn’t be so simple to swipe.
They probably spent less time stealing my neighbors car than he did waiting on the credit check to buy the car lol… it’s crazy these days with cars.
Headline the next day: "Crime rate on Earth now at an all-time low of zero percent!"
I know everyone doesn't have the funds for that, but I'm sorry, we all know how rampant car thefts have gotten since before those 3 Q50s in this video were even purchased. I live in the busiest neighborhood in downtown Denver with which has rampant property theft, cats cut out etc non-stop.
I own 2 vehicles and neither of them are ever parked outside if I can help it. It means I have to pay pretty much twice for rent because now I need a 1-2 car private garage, which means I'm probably now in a condo or townhouse so every expense just gets higher and higher.
But you're in the bracket of living downtown with a brand new Q50. So I don't care what your excuse is, buying a luxury/attention-getter car and parking it outside in cities with rampant car thefts is just absolutely stupid.
Especially the people who buy the $80k luxu-box with the $5k 22" wheel add-on that gets ripped out of their mid-rise apartment parking garage a day later.
I've had a car stolen and insurance does NOT treat you well when it happens and I never, ever want to deal with having a car stolen again no matter how much gaap/etc. I have.
Its actually a fair bit cheaper to buy a $25k car than a $250k car.
One big issue here regarding policing is that our city elected officials can’t tell the city police force what to do.
You see, when the civil war broke out, the state took control of the police force so that the mayor couldn’t lead a confederate coup.
Flash forward to today, and those powers still have never been returned to the city. The mayor and city council set the police budget, but the chief of police takes direction from a state run board.
So there is a big disconnect between citizens voicing concerns to city council members, and those members only ability is to “talk to the major”.
When the cats away, the mice will play off with some stolen cars.
- it's incredibly stupid to ban the flipper zero because it's factually not even part of the problem
- but it's equally stupid to "ban insecure vehicles". if kia makes a cheap car with crappy locks either don't buy it (because maybe insurance) or add and aftermarket immobilizer or a steering wheel lock. if it was really negligent of kia to "save a couple bucks", then it's equally negligent on you for not spending a couple bucks.
- i also cringe at the idea that we throw the word negligent around when talking about failing to prevent other peoples crimes. i'm not negligent for not doing enough to prevent the crimes of some other asshole. nor is kia. meanwhile, there's sibling threads here that point out that the us is far to hard on the criminals. so wait - kia and me and other law abiding entities are "negligent", but the asshole who stole the car deserves compasion, etc.?
- it's stupid-on-stupid-on-stupid to sit here discussing the problem of car thefts, caused by lack of enforcement of the existing laws against it, and the proposed solutions is making more things illegal (and arguing about which things).
Its not social darwinism, the lack of critical thinking skills among the general population is alarming. Americans have apparently been coddled to the point that they arent worried about basic needs; if you go to buy a car you should have some simple considerations, is this car safe? What are the typical maintenance costs? Is it common for this car to be stolen?
Things like, housing, transportation, education, those are really central aspects of peoples lives. Its all well and good that you want to draw symbols on paper and make all these things safe, but it appears to have come at a pretty serious cost. That cost, is the inability for the US population to use critical thinking.
i think this issue is overblown and is being used as a smokescreen for the rash of vehicle thefts caused, not by bad kia security, but large-scale organized crime.
If you just roll in and let the salesman take you for a ride then you deserve the outcome.
Immobilizers were a standard feature on cars for decades. If you went to buy a car, no one was putting immobilizer on the list of features, and they certainly wouldn't let you try breaking the ignition lock on a test drive.
If they had advertised that their vehicles were insecure, then sure, it's on the buyer, but they didn't.
it's not negligence to simply not provide a feature they didn't promise to provide and weren't required to (in the US). it is simply not their responsibility in any way to ensure your car's safety from theft. if you assumed it was and that they provided a feature you wanted because everybody else usually does, then the negligent party would be you for not RTFM. except that's wrong here too.
nobody is negligent here. you do not have a social responsibility to have an immobilizer on your car to prevent it from being stolen. and neither does the manufacturer. having it locked is plenty to legally make it "breaking-and-entering". and even if you leave the keys in the car and the engine running, it's still grand theft and your insurance will indeed pay out, which they would not do if they could claim negligence. the criminals are 100% at fault here. and bad things can happen without someone being negligent.
arguing about anything beyond that is just a fight about how good that anti-theft system has to be. are you negligent if you don't have an armed guard on your car?
Imo for removing security for the US market they deserve to be properly thrashed and dragged through the mud, regardless of the fact that they are offering upgrades from free if I read the following correctly.
https://www.nhtsa.gov/press-releases/hyundai-kia-campaign-pr...
It's not exactly an over the air "recall", and I understand a huge number are still out there unprotected.
Most cars in are stolen here using key thefts or wireless relay.
Dead Comment
If you entire job is selling locks and they don’t prevent crime, then it’s not negligent, it’s fraudulent.
You want to be in the clear? Sell a car without a lock, see how many people buy that.
> if kia makes a cheap car with crappy locks either don't buy it
And if Boeing makes a cheap, unsafe plane, don’t fly on it
I would be happy to run this experiment if lying to a customer about safety/properties of your product led to capital punishment. But currently companies will simply defraud you by lying about their product, and suffer no consequence
Does MasterLock making famously easy to pick / rake locks count? I'm sure they reduce crime compared to no lock but they are not as secure as the customer expects.
https://www.art-of-lockpicking.com/how-to-pick-a-master-lock...
yes. exactly. if boeing ever makes a cheap plane, i would definitely avoid it.
you are comparing a company that cheated on legally mandated safety requirements with a company that didn't put a non-legally required car immobilizer on a lot of their new cars. and then didn't lie about it.
> But currently companies will simply defraud you
but kia didn't do this
Deleted Comment
But I get it, it's easier to think about applying technological or even legal solutions instead of thinking about how to fix a societal problem.
A tool is a tool, it doesn't make the product weak, it already was.
Also it is silly to ban insecure cars, that's quite the slippery slope. If the cars are too easy to steal insurance will increase accordingly and that will provide incentives to fix that without banning anything.
The problem with your solution here where the insurance company raises rates... yea they already did that with regards to Kia/Hyundai cars and Kia Boyz thefts. The problem is, well, put it this way...
The last time you bought a car, did you check that the car had immobilizer software/hardware present on it? They don't really advertise that stuff anymore. About the only way you'd know on some brands is a nondescript red dot that shows up for a moment when you start the ignition.
Really, I'd bet a lot of people only found out their car didn't have an immobilizer feature until their insurance company dropped them or jacked their rates up... and that's a problem. See, you can buy a car NOW, and everyone thinks it's a good safe car.. until it turns out it wasn't.
that's exactly right. i was somewhat surprised that insurance was outright dropping people instead of simply increasing rates. and by the way, you can get a discount if you add x/y/z security alarm/immobilizer. the public outcry already has forced the issue with kia anyhow.
Are you going to be the first to buy an add-on lock or immobilizer? And everyone should also have to purchase an add-on?
Making a defective product should not be free.
Yes!
-Apple
if kids didn't want lead in their apple sauce they'd start their own testing labs.
It's pretty simple: if some car manufacturers have much higher rates of theft and are easier to steal than others, they are negligent. If by catching up to industry-standard anti-theft practices, their cars become harder to steal, not doing so is negligent.
for example, if a company made a car alarm called "SUPER EXTRA SECURE ELITE++ V5" and told me it had a "guaranteed thief proof" immobilizer. but then we find that a viral Tik Tok video shows how to with a hairpin and spit we can completely disable it and in 5 seconds and take the car for a drive and access the owners credit card info. and then also the car often bursts into flames while parked and turned off. and we of course find out that this was no "oops" and the corporations involved full-well knew about these issues and hid them to get a bonus. well, that'd certainly be a job for consumer protection laws.
but this is a case of "you got what you paid for". there's a place in the market for crank-up windows and basic plain cars without keyfobs and fancy alarms. that isn't wrong, and it definitely isn't "negligence" just because other carmakers pick different places in the market. and the fact that criminals do bad things doesn't change that.
and, thank you very much, i don't need consumer protection against that kind of thing. let's start with the lying and cheating corps and work our way up to collusion and price fixing. then let's get onto repair...
This ill-informed attitude goes over well here unfortunately.
And security may not be quite as pressing safety but poor security cost society besides costing the individual. When poor workers can't get to work 'cause stolen car, their bosses also suffer, when stolen cars are used in further you also get a social cost. etc.
Also, Flipper Zero can be made DIY, so I don't know if I get it, but the law will be DOA, and actually work against the democatization and awareness of such flaws by the public.
Absolutely. And let's bring risk into this.
Security risks are not born equal.
Serious security thinkers evaluate according to factors of likelihood, impact, mitigation cost etc.
A car is a dangerous weapon, especially in the hands of a group of giddy kids, maybe drunk or way too high to drive. The likelihood of someone getting seriously injured or killed by joyriding is high. It's really high. And there's no mitigation to a dead child. The penalty? A very firm "please don't do that again!"
But then a kid like Aaron Swartz downloads some files and gets nine felony counts totalling 50 years in jail and a $1 million fine.
A justice system with these values has no concept of risk and proportionality and is beneath contempt.
Also the scenario where it's being used as a disposable battering-ram to smash into a store. (As you might expect, those are the stolen cars with lesser potential resale value.)
I should say I drive a twenty year old car with an immobilizer chip and basic logic sounding the alarm when someone breaks a window to open a door. As far as I can tell, that makes it very secure. So it seems like the onus in the car manufacturers to create a vehicle at least as secure as this simple system.
What's the actual wording, is it a ban on the FZ specifically? Could anyone sell a "Zipper Flero" clone?
As much as I hate the concept, it would be ridiculous for me to propose regulating Alexa because a kid can cause financial harm to the parents using it, but a weapon can't be in any imaginable circumstance reachable by anyone untrained.
I will go through the comments later, but for now, if you are Canadian, please get in touch with your MPs.
I am working with some media as well for additional coverage in the next week, but if you know Canadian journalists that might be interested in this, please get in touch with them, educate them directly if you want or send them to me (my LinkedIn is in the signatures, the first two names in bold = authors).
Thanks for helping this story reach more people.
Responsible pigs who build from brick, sacrificing some profit in the name of security, are celebrated for their sound judgment and foresight.
A fairy tale has been telling us this for at least 200 years and probably much longer, history is unclear on how far back it goes.
It's amazing seeing this thread take the side of the negligent lazy pig. "But my thousand-dependency framework is mostly made of straw!", they say. "My boss won't give me time to even use sticks, much less brick!", they say. "It has to be this way!", they say.
People are being sold houses where the builder says they're made of brick, and if not for this product, the pigs might live in a house believing it's brick until a wolf blows it down and reveals a thin layer of stucco over straw.
The home sellers are saying "but wolves and building inspectors alike can use this tool to blow down houses!" (porcine building inspector use rather crude inspection methods). But it would be irrelevant if the houses were made of brick and not straw.
Microsoft suffers breach after breach after acquisition after acquisition. I verbally note them to my wife to remember, "This is not normal." and even she said, "Why do the numbers keep getting worse and worse." and I told her, "The database keeps getting larger and larger ever since they were only slapped on the wrist for not letting me boot straight to firefox since childhood."
If you took away my ability to understand why the world around me is failing, we'd fall into further disrepair than we already are and we're not really allowed to repair anything, now are we?
A violation of the first, fourth, and ninth? I can see that. A propensity to violate the fifth? I can see that. But I can't see a strong connection to the second.
Security bypasses/tools/exploits in that context are useful for leveling the playing field in a conflict, for instance we know the NSA is hoarding them for militaristic purposes. So if we call them cyber weapons rather than security tools it starts to make sense that, per that reasoning, citizens should have access to them too.
Though this is in US law, not Canada as related to the news story.
Banning the tech is a bandaid to deeper problems. It's also great advertising that these tools are effective.