AUTONEWS

Hackers are using a $169 gadget to break into cars

The Flipper Zero has been a favorite tool for security researchers and hackers since the device made its debut back in 2021. Videos quickly popped up online showing the mischief that was possible, such as changing electronic signage, kicking people off of WiFi networks, etc. An investigation by 404 Media, however, shows there are hackers at work developing far more nefarious utilities for the device, which are now being used to break into and steal cars.

The same hacker behind the “Unleashed” firmware, which enables the device to perform a more varied set of USB and RFID attacks, is now selling software patches that lets a user break into cars. It works by having the Flipper Zero intercept a code from a vehicle’s keyfob and it then calculates what the next code will be. The developer says it creates a “shadow copy of the original key.”

This process of creating these shadow copies is necessary to circumvent the protections put in place by car manufacturers. Car companies use a rolling code system with most key fobs, in which the codes exchanged between a vehicle and its keyfob are constantly changing to prevent such attacks from occurring.

Thieves increasingly use a cheap gadget called Flipper Zero to unlock cars and steal them. The device, popular with hackers, uses custom firmware on the web to clone a key fob's radio signal. Its powerful capabilities and low entry barrier made it very popular with teenagers who try to break into cars.

Many compare modern vehicles to computers on wheels, and they are not far from the truth. Most of them are vulnerable to hackers, who are not shy about exploiting these vulnerabilities. However, unlike computer manufacturers, carmakers are not very skilled at securing their vehicles against hackers.

Of course, some carmakers are better at securing their vehicles than others. The rule of thumb is that EV makers like Tesla and Rivian are more competent in this regard than most legacy carmakers. Even in the latter group, it's enough to look at theft statistics and see that some don't offer much in terms of theft protection.

Recent studies showed that many Stellantis vehicles can be easily hacked, although Hyundai and Kia are just as vulnerable. The Koreans have been at the center of a huge scandal after people discovered that many cars sold in North America are not fitted with electronic immobilizers. This finding developed into a TikTok challenge, and the Kia Boyz name was coined.

Hyundai and Kia have since addressed this problem, but other vulnerabilities are coming back to hunt them. The Korean carmakers were recently engulfed in a new scandal involving a Nintendo Gameboy-shaped device that could emulate the key. Not only did this lead to many theft cases, but Hyundai made it worse by asking owners to pay to have the vulnerability fixed.

The Korean carmakers seem to be among the most exposed to such high-tech theft methods, because Hyundai, Kia, and Genesis are again the preferred targets in a new attack. This time, it involves the Flipper Zero, a $169 gadget used by security researchers in their work and increasingly adopted by criminal rings across the globe. With proper software, a Flipper Zero device can clone a key fob's radio signal so thieves can steal a car like child's play.

According to 404 Media, there's a lucrative underground market for Flipper Zero modified software. The mods enable a Flipper Zero device to unlock various vehicles, including Ford, Audi, Volkswagen, and Subaru, but also most of Hyundai and Kias up to MY2025. While the software mods cost money, they are also popular with hackers, which means they'll likely get cracked and distributed for free.

Security experts think the Flipper Zero's popularity could lead to a new theft epidemic, like the former TikTok Challenge. "Kia Boys will be Flipper Boys by 2026," Cody Kociemba, a reverse engineer who goes by the handle Trikk and who has cracked some of the software, told 404 Media. "There isn't really anything people can do to defend against it, other than not using their key fob, and the vehicles affected is a pretty huge list."

On the other hand, the device manufacturer insists the Flipper Zero is a multipurpose tool intended for security researchers to test and demonstrate vulnerabilities responsibly. They place the burden on carmakers to patch their vehicle software for vulnerabilities.

"Ultimately, the real issue lies in how some car manufacturers continue to ship systems with outdated security models," Flipper Devices told 404 Media. "Until companies take security more seriously and roll out regular updates, these vulnerabilities will persist regardless of the tool used."

Rolling codes aren't as effective as the manufacturers might’ve hoped, though. It’s currently possible to attack over 200 vehicles, affecting brands such as Ford, Kia, Subaru, Mitsubishi, Volkswagen, Audi and several others. The only car manufacturer not currently affected is Honda, although according to the software’s documentation it’s “under development.”

For now, the proliferation of this software has been limited because of the cost, which ranges from $600 to $1000 depending on what kind of long term support a buyer might want. However, there are active efforts underway to crack the software. If this were to happen then it would likely mean an increase in the number of car thefts and break-ins.

Car manufacturers have their work cut out for them to try and nip this in the bud before this software is more widely available. Hopefully it’s something that can be addressed with an update.

https://www.404media.co/inside-the-underground-trade-of-flipper-zero-tech-to-break-into-cars/

---------------------------------------------------------------------------------------------------------------------------

Xiaomi Robot Vacuum S10 - Robot vacuum and floor cleaner with intelligent route planning, 4000 Pa suction, three cleaning levels, white: https://amzn.to/3Js5fbe

ECOVACS Omni Vacuum Robot and DEEBOT X8 PRO Mop: https://amzn.to/3JrWCNT