Banning hacking devices won’t prevent car thefts, security experts say
The Trudeau government’s proposal to ban over-the-counter hacking devices will not prevent car thefts, experts and police sources consulted by Radio-Canada say.
Those experts argue the government is improvising in its fight to bring down the number of vehicle thefts in Canada.
“It came out of nowhere,” said Francis Coats, a security engineering expert who teaches at the École de technologie supérieur de Montréal (ETS).
On the sidelines of its summit on car theft in early February, the federal government announced its intention to ban the sale and use of over-the-counter-hacking devices such as Flipper Zero — devices it says can be used to steal vehicles.
The government fears these devices (known as software-defined radios, or SDRs) could copy and reproduce the signals used to unlock and start vehicles.
Exaggerated risk?
But security experts and police sources told Radio-Canada they believe the risk posed by such devices is exaggerated. Banning them in Canada, they say, will not stop the real criminals.
“It won’t change much in the street,” said a police source, who asked that they not be named in order to be able to speak freely.
“There are many devices of this type that are already banned in Canada and are still used by car thieves,” the source said in French. “Banning two more models isn’t going to make much difference.”
And the commercially available devices, such as Flipper Zero, are rather rudimentary, according to many security experts.
“You cannot use a Flipper Zero to unlock or start a newer car,” said Guillaume Ross, security manager at Jupiter One, a software development firm.
Modern keys never use the same unlock code twice in a row. Instead, they use a series of rolling codes. So even if the signal is captured by a device, it cannot be reused to access vehicles, Ross said.
Ottawa is “completely on the wrong track” and should abandon the idea of a ban, he said.
In an open letter signed by 915 people who work directly or indirectly in the security industry, Ross wrote in French that Ottawa’s proposal is “ill-advised and based on a misunderstanding of technology … based on outdated and ill-informed assumptions.”
“This is one of the first times I have seen such unanimity in the community of security experts,” Coats said.
Lack of consultation
Alex Kugalin, founder of Flipper Zero, which is named in the federal government’s announcement, said his company was never contacted by the federal government before the announcement.
Kugalin said the company went on X, formerly Twitter, to ask Innovation Minister François-Philippe Champagne to cite the evidence he was using to justify banning the device. He said the company didn’t receive an answer.
Security experts contacted by Radio-Canada say they also wonder where the federal government is getting its advice.
There are few experts in the field in Ontario and Quebec, Coats said.
“I could invite them to dinner and I would have enough with two or three pizzas to feed them,” he said. “But we can’t find who Ottawa consulted.”
Federal government responds
The government says it’s still considering how best to move forward with its ban on hacking devices.
Champagne said Wednesday that top police officials who gathered for the summit earlier this month supported banning such devices.
“We have to look at all the tools we have at our disposal, and banning hacking devices is one of them,” he told reporters in French. “The goal is to make life difficult for criminals.”
Flipper Zero can be used for purposes other than those intended by its manufacturer, said Champagne’s spokesperson Audrey Champoux. The ban under consideration targets a host of other, lesser-known hacking tools used for illegitimate purposes, she said.
Amazon already prohibits the sale of the devices.
In the United States, the National Insurance Crime Bureau recommends that governments limit access to this potentially dangerous technology. But the bureau also acknowledges it has no data on how often these devices are used in vehicle thefts.
In Canada, neither the federal government nor the Insurance Bureau of Canada has data on this subject.
Defending their tools
Security experts admit the over-the-counter hacking devices that Ottawa wants to ban are part of their everyday toolbox.
Such digital gadgets help them find simple loopholes in security systems and plug the breach before criminals slip through, they say.
“If we ban the tools that allow us to do research, we won’t be able to tell when we find bugs in the systems to improve them,” Ross said.
He said the problem isn’t the devices but rather manufacturers who build vehicles with vulnerabilities.
Champagne said Wednesday the the government plans to issue licences to people who use the devices for legitimate reasons.
“If there are people who make legitimate use of them to help us fight crime, it is clear that we will give them an operating licence,” he said in French. “Everybody understands that in the industry.”
Ross said he believes the government should work with vehicle manufacturers to raise safety standards. He suggests penalizing manufacturers according to the number of vehicles that are stolen in a year, in order to create a financial incentive to build more secure vehicles.
Équité Association, which investigates insurance fraud on behalf of member insurance companies, said in a statement to Radio-Canada that Canada’s motor vehicle safety regulations are “terribly outdated” and must be modernized.
The standards were introduced in 2007, before keyless and remote start technologies were widespread.
“Criminals are now taking advantage of these outdated standards and are able to quickly and easily exploit these vulnerabilities, which has led to this significant increase in stolen vehicles across Canada,” said Bryan Gast, Équité’s vice-president of investigative services.
“Any steps that can be taken that make it more difficult for the criminal to steal your vehicle in the first place is a good thing, including modernizing the vehicle safety standards.”