With all of the myths surrounding the Flipper Zero for years, this time we need to bust one of those myths unfortunately. Up until recently, the myth that a Flipper Zero can be used to reliably unlock your car was just a hoax. Yes, for older model cars you could capture the key fob signal, clone and replay it. But that only worked for key fobs that weren’t using rolling codes to secure the signal. Up until last week…
How it used to work
It has always been possible to steal or mess with cars using technology. Back in 2016, Troy Hunt showed that you could control the onboard systems of a Nissan Leaf through a vulnerable API. Another way that hit the news in recent years is the vulnerability of keyless entry systems where it was possible to capture the signal of a key fob inside your house, and repeat that so your car thinks the key fob is nearby:
Car manufacturers took on this problem by implementing a number of fixes. One of the fixes is the implementation of “motion-activated key fobs”, meaning that the key fob will go into “sleep mode” if it doesn’t move for a set a mount of time. By doing this, the key fob doesn’t broadcast a signal, so it’s impossible to capture and replay that to steal your car (called a “Relay Attack”). This is used by manufacturers like BMW, Mercedes-Benz, Audi / Volkswagen group, and others (some of them disable keyless entry entirely on the key fob or car).
Since 1998 (when rolling codes became standard on most new cars with remote- or keyless entry systems), it’s been a relatively safe system. Every time you press a button on your key fob, a unique code is used to send a command to your car (lock or unlock door, open boot, etc.). In order to make it work you would need to replay the captured code over and over again, hoping that the rolling code system would eventually use the same code again (some cars have a vulnerability that “reset” if a set amount of codes is used, like 1-2-3-4-5-1-2, etc.). Another more reliable option would be to capture the signal from the key fob, and at the same time jam the signal from reaching the car. That way you could use the rolling code once, because the key fob sent out the code, but the car never received it.
All in all, this wasn’t reliable at all, because codes would only work once, and you would need to invest heavily in technology, manpower and patience.
What changed?
On July 17 the first “public” news broke that a new type of firmware for the Flipper Zero could break rolling codes, posted by Ryan Montgomery (0Day):
At first, skepticism of another claim that “this truly works” is what came to mind. These claims come and go, where in most cases it doesn’t work, or it only works for a specific car brand or key fob. But after seeing a second source, this story became more credible:
Talking Sasquach posted a video showing the same firmware.
How does this work?
According to the information available at this moment, this is a new custom firmware for Flipper Zero. It’s created by a “Russian Hacker”, and available for purchase on a “Darkweb forum” for around $1000. The firmware comes with a list of the vehicles that are affected, including cars from manufacturers like Dodge, Ford, Kia, Mitsubishi, Chrysler, Ferrari, Fiat, Hyundai, Jeep and Subaru.
This firmware only needs 1 key fob button press to decrypt the rolling codes, and automatically determine all the codes for the other buttons. So for example, if you capture a press of the “open boot” button it automatically determines the other buttons (lock, unlock and panic button).
How credible is this story?
To start off, in no way this post is intended to discredit any of the sources. But there are actually some interesting things going on. If you compare the keys used in both example video’s, what do you notice?
All three videos use a Ford key. A quick search learns us that this is probably a key for 2012-2022 Ford models (these key fobs were phased out in 2021-2024 and replace by a new design). With this information (and a bit of AI help), it looks like the key and car Talking Sasquach uses could potentially be a third generation (Mk3) Ford Focus built between 2011 and 2014.
So what do these key fobs have in common you ask? Well, Chrysler, Dodge, Jeep and Fiat all fall under Stellantis. Hyundai and Kia are part of the Hyundai Motor Group, so there’s also a high chance they share the same technology used in their key fobs. With more knowledge on what technology these key fobs or cars use specifically, it might be possible that they all are vulnerable for the same attack, or the way the rolling codes are calculated might contain a vulnerability.
The fact that all three examples use a Ford key to show it’s possible could have multiple reasons. Maybe it’s easier to use this vulnerability on Ford, maybe it’s easier to find a Ford in the USA than it is to find a Ferrari (sounds logical, right?). Also in the news article that Straight Arrow News created together with tech and security reporter Mikael Thalen, they use a Ford to show what happens.
Without having the firmware itself, it’s currently impossible to determine the actual reason.
Talking Sasquach posted a video with some more details and how this all started, and you can watch that here.
Do you need to worry?
Even though this might scare you, maybe it’s not as bad as it looks. Let me explain why.
- Is this a new vulnerability?
- No it isn’t. Hacking rolling codes has been proven to work in a Defcon 23 (2015) talk by Samy Kamkar. He used a “Radica Girltech IM-ME texting toy from Mattel” to demonstrate his “OpenSesame Attack“.
- Is it a new capability?
- No, it isn’t. The difference is that it’s now all brought down to a firmware you can run on a small, handheld device like a Flipper Zero. You still need to find and purchase the firmware right now, although it might pop up on a more public source in the (near) future because it’s currently being distributed amongst security researchers.
- Is it new to Flipper Zero?
- No, not really. There are firmwares and apps available for download that already make it possible or attempt to decode rolling codes, with mixed results.
- Does it allow thieves to steal your car now?
- No. Even though they can capture your key fob signal in a parking lot, somebody can’t just get in and drive off. There’s a transponder in the key that communicates with a electronic immobiliser, which are mandatory in all new cars since the early 2000’s. So somebody can steal your stuff from your car, but it’s not possible to just drive off.
- Is it an opportunity for car manufacturers to adapt and overcome?
- Yes, for sure. Car manufacturers are just like any other company, if they are not pushed to innovate they just take the technology they have on the shelves and run with it. Sometimes it feels like they stopped thinking about security after the introduction of airbags in the 1970’s, and if it’s costs them money they just refuse to change…
Conclusion
For some reason, it always comes down to the discussion on whether or not to ban the Flipper Zero. Do you want to ban baseball bats and bricks then as well? Because they can be used for wrong purposed, or to break into a car…
Technology evolves fast, and that won’t change in the future. So maybe the solution would be to never stop innovating, whatever company you have or product you manufacture. It doesn’t mean you need to change your entire business model overnight, but spend some time on thinking about security from the start, and don’t be afraid to look back at what you created in the past, and ask yourself the question: Would this still hold up in today’s technology? Look at it from a different angle, with different people, and think as a bad actor and see what’s possible, because “Yesterday’s solutions won’t solve tomorrow’s problems”…
Disclaimer
This post is for informational purposes only, and we are not liable for any loss or damage resulting from its use.
Also: don’t be a skiddie, or an a-hole, and stay vigilant!
One response
[…] that there was a firmware available on the “Dark Web” that allowed Flipper Zero to capture, decode and replay car fob signals. That meant any bad actor could use this custom firmware installed on your Flipper Zero, and open […]