2 min read

Electric scooters can be hijacked remotely - no password required

Graham CLULEY

February 14, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Electric scooters can be hijacked remotely - no password required

Security researchers have demonstrated that it’s possible to remotely hijack control of popular electric scooters, forcing them to dangerously brake suddenly or accelerate.

Researchers at Zimperium say it took mere hours to uncover the security hole in the Xiaomi M365 scooters used by urban commuters around the world.

Security researcher Rani Idan discovered that it was possible to targeted any Xiamoi M365 scooter passing within 100 metres (328 feet), forcing it to unexpectedly accelerate or brake – without any physical access to the scooter required.

In a brief but effective video, the hoodie-wearing researcher demonstrates how easy it to remotely stall a scooter as its perplexed owner attempts to cross a road.

It is, in short, a denial-of-service attack.

The flaw lies in the insecure Bluetooth communications between the scooter itself and its smartphone app – a problem that all too often is seen with IoT devices.

According to Idan, the dedicated app is designed to allow the scooter’s owner to make use of various features including the vehicle’s cruise control, eco mode, anti-theft system, and firmware updates.

The app itself is protected by a password that can be chosen by the user.

That all sounds good in principle, provided the password chosen is strong enough.

However, the researchers discovered that one important element of the scooter’s security had been carelessly overlooked:

“During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password. The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state.”

“Therefore, we can use all of these features without the need for authentication.”

In other words, a hacker doesn’t need to know the scooter’s password to send it malicious instructions from up to 100 metres away.

The researchers believe the flaw can be exploited in three obvious ways:

  • Denial of Service attack – Lock any M365 scooter.
  • Deploy Malware – Install a new malicious firmware that can take full control over the scooter.
  • Targeted Attack – Target an individual rider and cause the scooter to suddenly brake or accelerate.

The research team also say that they were able to develop proof-of-concept code that was capable of accelerating scooters, but has wisely decided not to publish it because of obvious safety concerns.

Nonetheless, the fact that the Xiaomi M365 scooter is used by a number of US-based ride-sharing firms does raise the fear that commuters may be unwittingly putting themselves at risk.

Idan described to The Verge how it may not be easy for riders to tell if their scooter might be one of those which is vulnerable:

“It might have implications on any ride-sharing service that uses Xiaomi scooters but didn’t disable or replace Xiaomi’s bluetooth module. Moreover, Xiaomi scooters are rebranded and sold under different names, those might be affected.”

Zimperium claims it informed Xiaomi of the security vulnerability last month, but that no security update has yet been issued.

tags


Author



Right now

Top posts

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
Cyber Tips for a Spook-Free Halloween

Cyber Tips for a Spook-Free Halloween

October 26, 2022

3 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Rackspace customers rage following ransomware attack, as class-action lawsuits filed Rackspace customers rage following ransomware attack, as class-action lawsuits filed
Graham CLULEY

December 09, 2022

3 min read
2.2 Million Patients Affected by Data Breach in Pediatric Software Vendor 2.2 Million Patients Affected by Data Breach in Pediatric Software Vendor
Silviu STAHIE

December 07, 2022

1 min read
Hacking cars remotely with just their VIN Hacking cars remotely with just their VIN
Graham CLULEY

December 05, 2022

2 min read