We live in a timeline where one viral car theft trend is sure to be displaced by the next—and soon. The most dominant carjacking movement of the last few years has undeniably been the Kia Boys, whose members target Hyundai and Kia models with weak and easily tricked security systems. Thefts were so frequent and widespread for a while that recurring cable news segments warned the entire country about them. It now seems like another trend could be brewing as bad actors abuse a device called Flipper Zero to break into cars made by more than a dozen manufacturers.
Investigative tech journalism site 404 Media published an in-depth report on the development Thursday morning. The story highlights how hackers are abusing the $199 Flipper Zero—a device defined by its creators as “a versatile tool for hardware exploration, firmware flashing, debugging, and fuzzing”—to unlock vehicles without a key fob. We’ve written about these little white-and-orange gadgets before, first when nerds were using them to remotely open Teslas’ charging doors, and then again later when someone found out how to use them to turn traffic lights green.
This new use for the Flipper Zero is far more nefarious. 404 Media spoke with a Russia-based hacker named Daniel, who says he developed the “Unleashed” firmware that enables devices to execute more RFID and USB attacks. “Maybe someone is using it to steal from cars or steal cars,” Daniel said, after alleging that the firmware is “in demand” with locksmiths and car shop owners. He sells the Flipper Zero patches for either $600 or $1,000, depending on whether customers simply want the latest version or updates with further support.
Daniel told 404 Media that he’s sold the firmware to 150 or so customers in the past two years, and he works alongside a hacker who goes by Derrow.
“Kia Boys will be Flipper Boys by 2026,” explained Cody Kociemba, a reverse engineer otherwise known as Trikk, to 404 Media.
It has such potential to scale because the tech can help thieves infiltrate a large list of vehicles. From Kias and Hyundais to Fords, Hondas, Subarus, VWs, and more, many of today’s most popular makes and models are vulnerable. Nearly 200 specific examples are listed in this chart that Daniel uploaded at the beginning of a recent YouTube video.
Daniel claims it creates a “shadow copy of the original key.” From what I can tell, however, it’s only able to unlock the car—not start it. Still, that poses obvious security risks, even if someone can’t drive away with your ride (yet). “Some cars like Kia are not using any protection at all, which makes it easy to open them,” Derrow wrote in an email. “For other vendors you must know the source code, then you can open them too.”
If you want a more technical breakdown of how the Flipper Zero hacks work, you should check out the full 404 Media report. Really, if you’re interested at all, you ought to read it. The most important takeaway is that many, many of the world’s most popular cars are largely defenseless against these hacks, and it’s seemingly a matter of time before thieves can do more than break into them.
Got a tip or question for the author? Contact them directly: [email protected]
Comments