OTTAWA — The federal government’s plan to ban “consumer hacking devices” to combat auto theft has Canadian cybersecurity professionals both scoffing and despairing.

“The government seems to be making policy decisions based on fake YouTube videos instead of consulting with subject matter experts,” said Jason Keirstead, vice-president of collective threat defence at Cyware, which sells technology for identifying cyberthreats and coordinating rapid responses to them.

Innovation Minister François-Philippe Champagne announced the impending ban at the end of last Thursday’s federal summit on car thefts, naming Flipper Zeros as examples of the tools the government will target.

“Criminals have been using sophisticated tools to steal cars. And Canadians are rightfully worried,” he wrote on X. “Today, I announced we are banning the importation, sale and use of consumer hacking devices, like Flippers, used to commit these crimes.”

What’s a Flipper Zero? A handheld device with a simple monochrome screen and a built-in “software-defined radio.” Unlike more traditional transmitters and receivers whose capabilities are determined by hardware, the Flipper Zero’s can read, copy and emit signals in a wide range of frequencies, with software commands telling it how to behave.

“There are radio frequencies used everywhere in modern-day life, and the Flipper Zero helps you see them and be able to interact with them,” said Ian Paterson, CEO of Plurilock, which makes technology for authenticating users of digital systems based on how the users interact with them. “For somebody who is technically inclined and curious and wants to explore, it can be a way of just understanding the world around them.”

Plus, he said, “they’re kind of cute.” They look something like an old-school Game Boy, something like a Tamagotchi; part of the “Flipper” theme is a dolphin character on the screen that gets happier the more you use the device.

Funded by a Kickstarter campaign, the idea was to “combine all the research and penetration hardware tools that you could need on the go,” to be useful to people who like playing with radio signals and to experts who want to spoof them to test digital devices’ security levels. The campaign had a US$60,000 goal and raised nearly US$4.9 million.

Now the “multi-tool device for geeks” is a product from Flipper Devices, registered in the United States.

The components are commodity parts and the software is open-source. “If you have an account on AliExpress, you can buy all the hardware and put it all together yourself,” said Alex Dow, co-founder and chief innovation officer at cybersecurity consulting firm Mirai Security in Vancouver.

His firm uses them for simple penetration testing—probing clients’ security—because at $300 or so each, Flipper Zeros make more sense than building their own devices, he said.

Another alternative: “Any laptop,” said Dow. “All you need is a USB software-defined radio to be doing exactly what the Flipper is doing.”

Does copying radio signals help car thieves?

The premise of the federal ban is that tools like Flipper Zeros can be used to steal vehicles by snagging the signal from a car’s fob and replicating it, allowing a thief to open a vehicle, start it and drive away.

That’s not quite how a fob functions, Keirstead said.

“Any garage opener or car that’s been made in the past 25 years has what’s called rolling codes,” he said. “They change every time you press the button. Because of that, you can’t just capture a code and replay it using a Flipper. It won’t work.”

TikTok is replete with videos of Flipper Zeros apparently unlocking cars and doing other magic. “They’re fake videos that people are doing to try to get views on social media,” Keirstead said.

Dow said a Flipper Zero can do some “parlour tricks” and could be used for nuisance mischief like resetting someone’s Wi-Fi connection or opening parking gates.

“Some lower-end people could use it for very, very petty crime. But on the scale we’re seeing, in terms of getting a vehicle into a shipping container and off to the Middle East, they’re not using Flipper Zeros,” he said.

How will a ban work?

Champagne is still deciding, said his spokesperson, Audrey Champoux, in an email to The Logic. The same message revised Champagne’s statement to say a ban will apply only to some people:

“The intent is to move forward with measures to restrict the use of such devices to legitimate actors only, and therefore the importation, possession, sale, and use by illegitimate actors will be banned,” she wrote. “Innovation, Science and Economic Development Canada is already working with Canadian companies, online retailers and the automotive industry to address this issue and will be announcing its specific plans in the near future.”

On X, Flipper Devices challenged Champagne to “provide any evidence of Flipper Zero being involved in any criminal activities of this kind,” saying it doesn’t know of any cases.

What’s the harm in banning these things?

“I think it runs counter to an innovation policy,” said Paterson. “The more that we can do to encourage young Canadians to tinker with technology, it increases the chances that we’ll have another BlackBerry or another Nortel. When you move to ban generic multipurpose devices like Flippers, it runs counter to that innovation goal.”

If cars are vulnerable to any such devices, the solution is to strengthen the cars, not ban the tools, he said. You don’t ban lightbulbs because one overheats and burns down a house.

“It’s been painting Canada in a very negative light because of the misinformation,” said Keirstead. “People are laughing at the government.”