404 Media

Welcome back to the Abstract! Here are the studies this week that ruled the roost, warmed the soul, and departed for intergalactic frontiers.

It will be a real creature feature this week. First, we will return to the realm of bats and discover that it is, in fact, still awesome. Then: poops from above; poops from the past; a very special bonobo; and last, why some dead stars are leaving the Milky Way in a hurry.

Bat hugs > Bear hugs

Tietge, Marisa et al. “Cooperative behaviors and social interactions in the carnivorous bat Vampyrum spectrum.” PLOS One.

Welcome to The Real World: Bat Roost. Scientists installed a camera into a tree hollow in Guanacaste, Costa Rica to film a tight-knit family of four spectral bats (Vampyrum spectrum) over the course of several months. The results revealed many never-before-seen behaviors including bats hugging, playing with cockroaches, and even breaking the fourth wall.

“We provide the first comprehensive account of prey provision and other social behaviors in the spectral bat V. spectrum,” said researchers led by Marisa Tietge of Humboldt University in Berlin. “By conducting extensive video recordings in their roost, we aimed to document and analyze key behaviors.”

Spectral bats are the biggest bats in the New World, with wingspans that can exceed three feet. They are carnivorous—feasting on rodents, birds, and even other species of bat—and they mate in monogamous pairs, which is unusual for mammals. But while huge flesh-eating bats sound scary, the new study revealed that these predators have a soft side.

For example, the footage captured a “greeting” ritual that included “a hugging-like interaction between a bat already in the roost and a newly arrived bat,” according to the study.

“The resident bat may actively approach or greet the newcomer as it reaches close proximity in the main roosting area,” the team said. “The greeting behavior is comparable to the initiation to social roosting, where at least one bat wraps its wings around the other, establishing a ball-like formation for several seconds. This behavior is often accompanied by social vocalizations.”

There’s nothing like coming home after a graveyard shift to a warm welcome in a fuzzy ball-like formation. In keeping with their gregarious nature, the footage also showed that the bats are very generous with sharing prey, with only a single instance of a “tug-of-war” breaking out over dinner.

“Prey provision was a clearly cooperative social behavior wherein a bat successfully captured prey, brought it to the roost where group members were present, and willingly transferred the prey to another bat,” the researchers said. “Audible chewing noises are a distinctive feature of this process.”

Loud chewers in any other context are profoundly irritating, but these bats get a pass because it’s kind of hard to be quiet while crunching through mouse bones perched upside-down.

In addition to all the hugging and prey-sharing, the bats were also observed playing together by chasing cockroaches or, in one case, messing with the camera by altering its position. I can’t wait for the next season!

In other news…

Skyward scat

Uesaka, Leo and Sato, Katsufumi. “Periodic excretion patterns of seabirds in flight.” Current Biology.

Speaking of putting cameras in weird places, why not strap them to the bellies of seabirds? Scientists went ahead and did this, ostensibly to examine the flight dynamics of streaked shearwaters, which are Pacific seabirds. But the tight focus on the bird-bums produced a different revelation: Shearwaters almost exclusively poop while on the wing.

“A total of 195 excretions were observed from 35.9 hours of video data obtained from 15 streaked shearwaters,” said authors Leo Uesaka and Katsufumi Sato of the University of Tokyo. “Excretion immediately after takeoff was frequent, with 50 percent of the 82 first excretion events during the flying periods occurring within 30 seconds after take-off and 36.6 percent within 10 seconds.”

“Occasionally, birds took off, excreted, and returned to the water within a minute; these take-offs are speculated to be only for excretion,” the team continued. “These results strongly suggest that streaked shearwaters intentionally avoid excretion while floating on the sea surface.”

This preference for midair relief might allow seabirds to lighten their load, prevent backward contamination, and avoid predators that sniff out excrement. Whatever the reason, these aerial droppings provide nutrients to ocean ecosystems, so bombs away.

Please clean up after your 9,000-year-old dog

Slepchenko, S.M. et al. “Early history of parasitic diseases in northern dogs revealed by dog paleofeces from the 9000-year-old frozen Zhokhov site in the New Siberian Islands of East Siberian Arctic.” Journal of Archaeological Science.

Hold onto your butts, because we’re not done with scatological science yet. A study this week stepped into some very ancient dog doo recovered from a frozen site on Siberia’s Zhokhov Island, which was inhabited by Arctic peoples 9,000 years ago.

By analyzing the “paleofeces,” scientists were able to reconstruct the diet of these canine companions, which were bred in part as sled dogs. The results provide the first evidence of parasites in Arctic dogs of this period, suggesting that the dogs were fed raw fish, reindeer, and polar bear.

“The high infection rate in dogs with diphyllobothriasis indicates a significant role of fishing in the economic activities of Zhokhov inhabitants, despite the small amount of direct archaeological evidence for this activity,” said researchers led by S.M. Slepchenko of Tyumen Scientific Center. “The presence of Taeniidae eggs indicates that dogs were fed reindeer meat.”

The team also noted that after excavation, the excrement samples were “packaged entirely in a separate hermetically sealed plastic bag and labeled.” It seems even prehistoric dog poop ends up in plastic bags.

Kanzi the unforgettable bonobo

Carvajal, Luz and Krupenye, Christopher. “Mental representation of the locations and identities of multiple hidden agents or objects by a bonobo.” Proceedings of the Royal Society B.

Playing hide-and-seek with bonobos is just plain fun, but it also doubles as a handy experiment for testing whether these apes—our closest living relatives—can track the whereabouts of people, even when they are out of sight.

Kanzi, a bonobo known for tool use and language skills, participated in experiments in which his caretakers hid behind screens. He was asked to identify them from pictures or voices and succeeded more than half the time, above chance (here’s a video of the experiment).

”Kanzi presented a unique and powerful opportunity to address our question in a much more straightforward way than would be possible with almost any other ape in the world,” said authors Luz Carvajal and Christopher Krupenye of Johns Hopkins University. “He exhibited not only strong engagement with cognitive tasks but also rich forms of communication with humans—including pointing, use of symbols, and response to spoken English.”

Kanzi was also a gamer who played Pac-Man and Minecraft. Image: William H. Calvin, PhD -

Sadly, this was one of Kanzi’s last amazing feats, as he died in March at the age of 44 in his long-time home at the Ape Initiative in Des Moines, Iowa. But as revealed by this posthumous study, Kanzi’s legacy as a cognitive bridge between apes lives on. RIP to a real one.

Zero to 4.5 million mph in a millisecond

Glanz, Hila and Perets Hagai B. et al. “The origin of hypervelocity white dwarfs in the merger disruption of He–C–O white dwarfs.” Nature Astronomy.

We will close with dead stars that are careening out of the galaxy at incomprehensible speeds. These objects, known as hypervelocity white dwarfs, are corpses of stars similar in scale to the Sun, but it remains unclear why some of them fully yeet themselves into intergalactic space.

“Hypervelocity white dwarfs (HVWDs) are stellar remnants moving at speeds that exceed the Milky Way’s escape velocity,” said researchers co-led by Hila Glanz and Hagai B. Perets of the Technion–Israel Institute of Technology. “The origins of the fastest HVWDs are enigmatic, with proposed formation scenarios struggling to explain both their extreme velocities and observed properties.”

The team modeled a possible solution that involves special white dwarfs with dense carbon-oxygen cores and outer layers of helium, known as hybrid helium-carbon-oxygen (HeCO) white dwarfs. When two He-CO white dwarfs merge, it may trigger a “double-detonation explosion” that launches one of the objects to speeds of about 4.5 million miles per hour.

“We have demonstrated that the merger of two HeCO white dwarfs can produce HVWDs with properties consistent with observations” which “provides a compelling explanation for the origin of the fastest HVWDs and sheds new light on the diversity of explosive transients in the Universe,” the researchers concluded.

With that, may you sail at hypervelocity speeds out of this galaxy and into the weekend.

Thanks for reading! See you next week.

From 404 Media via this RSS feed

A man holds an orange and white device in his hand, about the size of his palm, with an antenna sticking out. He enters some commands with the built-in buttons, then walks over to a nearby car. At first, its doors are locked, and the man tugs on one of them unsuccessfully. He then pushes a button on the gadget in his hand, and the door now unlocks.

The tech used here is the popular Flipper Zero, an ethical hacker’s swiss army knife, capable of all sorts of things such as WiFi attacks or emulating NFC tags. Now, 404 Media has found an underground trade where much shadier hackers sell extra software and patches for the Flipper Zero to unlock all manner of cars, including models popular in the U.S. The hackers say the tool can be used against Ford, Audi, Volkswagen, Subaru, Hyundai, Kia, and several other brands, including sometimes dozens of specific vehicle models, with no easy fix from car manufacturers.

These tools are primarily sold for a fee, keeping their distribution somewhat limited to those willing to pay. But, there is the looming threat that this software may soon reach a wider audience of thieves. Straight Arrow News (SAN) previously covered the same tech in July, and the outlet said it successfully tested the tool on a vehicle. Now people are cracking the software, meaning it can be used for free. Discord servers with hundreds of members are seeing more people join, with current members trolling the newbies with fake patches and download links. If the tech gets out, it threatens to supercharge car thefts across the country, especially those part of the social media phenomenon known as Kia Boys in which young men, often in Milwaukee, steal and joyride Kia and Hyundai cars specifically because of the vehicles’ notoriously poor security. Apply that brazeness to all of the other car models the Flipper Zero patches can target, and members of the car hacking community expect thieves to start using the easy to source gadget.

“Kia Boys will be Flipper Boys by 2026,” Cody Kociemba, a reverse engineer who goes by the handle Trikk and who has cracked some of the software, told 404 Media.

💡Do you know anything else about people using the Flipper Zero to break into cars? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

The Flipper Zero was first announced on Kickstarter in 2020 and raised nearly $5 million. Since then, hackers and hobbyists have made their own Flipper Zero firmware to make the tool even more powerful. There is “Unleashed” which opens up the device to perform more RFID or USB attacks, for example. A hacker called Daniel told 404 Media he is the original creator of the Unleashed firmware.

Daniel also sells his car-unlocking Flipper Zero patches for either $600 or $1,000, paid in cryptocurrency. With the former, you just get the latest version. With the latter, you receive future upgrades and support. Daniel claimed to 404 Media he has sold tech to around 150 people over the past two years.

“Maybe someone is using it to steal from cars or steal cars,” Daniel said. They also said it is “in demand” from locksmiths or car shop owners.

On YouTube, Daniel shows the device being used on a Ford vehicle; another targets a Volkswagen; some show Kias; and another is a Solaris KRX. Just a few days ago, Daniel uploaded a new video demonstrating what he described as a “big upgrade” for the software, and its capabilities against more vehicles. Daniel has a partner who goes by the name Derrow and also sells the tech. They have their own website that includes a list of recent updates: in July the team added support for Citroen and Peugeot. This month, they added more Ford models.

A screenshot of Daniel's YouTube channel's recent videos.

Some of those videos show road signs in Russian, including for an airport in Moscow; Daniel told 404 Media he was based in Russia.

For years police have highlighted the prevalence of another type of attack, called a relay attack, which essentially extends the range of a victim’s keyfob. With that, a thief can unlock a car, say, in a driveway, while the keyfob is still inside a target’s home. I previously spoke to someone who sells this sort of tech to target luxury vehicles.

One countermeasure to techy-car thieves is the use of rolling codes. Modern vehicles use a different code each time to unlock a vehicle, which is supposed to stop thieves who clone the fob from being able to break into a car. But with this Flipper Zero attack, the tool intercepts a target’s keyfob code, then calculates what the next code will be, unlocking the vehicle. Daniel described it as a “shadow copy of the original key.” (A side effect is that the attack can desynchronize the real keyfob, meaning the actual owner won’t be able to open their car until it is reset. A comment on one of Daniel’s YouTube videos from someone with locksmith in their username says “I'm going to make a fortune fixing desynced fobs.”)

To build this capability, Daniel said he has bought various pieces of source code from other people. That includes code related to grabbing details transmitted by the keyfob; code concerning spare keys; and “other specific hardware.” Daniel and Derrow then created this new capability and configured it to work with a Flipper Zero and Raspberry Pi respectively, Daniel said.

Derrow told 404 Media in an email that “​​Some cars like Kia are not using any protection at all, which makes it easy to open them. For other vendors you must know the source code, then you can open them too.”

Screenshots of the PDF provided by Daniel.

Daniel shared a PDF which lays out the vehicles the patches allegedly work against. It names nearly 200 specific models of vehicles, including many 2025 versions. As well as Subaru, Fiat, Ford, Mitsubishi, Suzuki, Peugeot, Citroën, Volkswagen, Skoda, and Audi, the document also says Honda is in development.

“There isn't really anything people can do to defend against it, other than not using their key fob, and the vehicles affected is a pretty huge list,” Trikk, the reverse engineer, said.

404 Media contacted all of the vehicle manufacturers mentioned in the document. Most did not provide a statement on whether they were aware of the attack or what they were doing to mitigate it. Ford declined to comment.

“Hyundai is aware of recent media reports of custom firmware for the Flipper Zero tool that targets certain key fobs for vehicles made by several automakers. We are evaluating this issue and, to date, have not identified any confirmed cases of this method being used in thefts of Hyundai or Genesis vehicles,” a Hyundai spokesperson told 404 Media.

Flipper Devices, the company that makes the Flipper Zero, told 404 Media in an email that “we are not aware of any officially confirmed cases of theft using a Flipper Zero.” It stressed that the Flipper Zero is a multipurpose tool intended for security researchers to test and demonstrate vulnerabilities in a responsible manner.

“We have seen reports from researchers who have used Flipper Zero with third-party software and hardware to exploit brazen vulnerabilities in certain cars. We hope car manufacturers will take the security of their products more seriously and patch them up immediately, as carjackers have access to extremely sophisticated black market tools,” the statement added. “Ultimately, the real issue lies in how some car manufacturers continue to ship systems with outdated security models. Until companies take security more seriously and roll out regular updates, these vulnerabilities will persist regardless of the tool used.”

0:00/0:13 1×

The site that new visitors asking for the tool are directed to.

When customers buy his patch, Daniel says he requires photos from the Flipper Zero’s box showing the device’s serial number, and a photo of a specific part of the gadget’s settings. This is to lock the purchased patch to a customer’s device, so as “to prevent stealing, unauthorised distribution, reverse-engineering and any other unwanted manipulations,” Daniel said.

His partner Derrow distributes the patches similarly. Their website reads “All Firmwares are personalized and it is strictly forbidden to pass it to any third party! Violating this rule disqualifies you for any further support, and your Firmware and account will be blacklisted for further use!”

With a cracked version, anyone with a Flipper Zero and some basic tech knowledge could use the gadget to break into cars without having to pay the original developers. Daniel acknowledged that some people had cracked his software, but claimed that the newest versions were still secure.

Trikk said cracked versions of the software are “being guarded by people who have it” in an attempt to stop abuse. When new people join Discord servers that discuss the tech, they often ask for a free version of the tool. In response, members of one reply with the https://private.unleashedv2.dev/, which redirects to a flashy webpage that says “fuck you” and “you don’t belong here.” Trikk said people who ask are also given the “Firmware Curious” Discord role “as a mark of shame.” Trikk also sent 404 Media a video which showed a person being trolled with a fake version of the tool which claims to have found a Rolls-Royce Ghost nearby; the person pans their camera seemingly looking for the vehicle but doesn’t find one.

“It’s more so a litmus test to get rid of the skids easily,” Trikk said, referring to “script kiddies,” or skids, which are hackers with a lower technical ability.

But cracked versions are starting to trickle out from the community. A source sent 404 Media a copy of the cracked tool, including scripts for Kia and Suzuki vehicles.

“I think there will be a lot of noobs that want to play around with it because it's cool, and end up bricking their key fobs, and others will likely try to use it to break into/steal cars,” Trikk said. “Unfortunately with the original author selling it to anyone who has the money, it's going to be available very soon, and open sourced shortly thereafter.”

Derrow, one of the developers, told 404 Media “the sale is currently going through the roof.”

From 404 Media via this RSS feed