2 min read

Electric scooters can be hijacked remotely - no password required


February 14, 2019

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Electric scooters can be hijacked remotely - no password required

Security researchers have demonstrated that it’s possible to remotely hijack control of popular electric scooters, forcing them to dangerously brake suddenly or accelerate.

Researchers at Zimperium say it took mere hours to uncover the security hole in the Xiaomi M365 scooters used by urban commuters around the world.

Security researcher Rani Idan discovered that it was possible to targeted any Xiamoi M365 scooter passing within 100 metres (328 feet), forcing it to unexpectedly accelerate or brake – without any physical access to the scooter required.

In a brief but effective video, the hoodie-wearing researcher demonstrates how easy it to remotely stall a scooter as its perplexed owner attempts to cross a road.

It is, in short, a denial-of-service attack.

The flaw lies in the insecure Bluetooth communications between the scooter itself and its smartphone app – a problem that all too often is seen with IoT devices.

According to Idan, the dedicated app is designed to allow the scooter’s owner to make use of various features including the vehicle’s cruise control, eco mode, anti-theft system, and firmware updates.

The app itself is protected by a password that can be chosen by the user.

That all sounds good in principle, provided the password chosen is strong enough.

However, the researchers discovered that one important element of the scooter’s security had been carelessly overlooked:

“During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password. The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state.”

“Therefore, we can use all of these features without the need for authentication.”

In other words, a hacker doesn’t need to know the scooter’s password to send it malicious instructions from up to 100 metres away.

The researchers believe the flaw can be exploited in three obvious ways:

  • Denial of Service attack – Lock any M365 scooter.
  • Deploy Malware – Install a new malicious firmware that can take full control over the scooter.
  • Targeted Attack – Target an individual rider and cause the scooter to suddenly brake or accelerate.

The research team also say that they were able to develop proof-of-concept code that was capable of accelerating scooters, but has wisely decided not to publish it because of obvious safety concerns.

Nonetheless, the fact that the Xiaomi M365 scooter is used by a number of US-based ride-sharing firms does raise the fear that commuters may be unwittingly putting themselves at risk.

Idan described to The Verge how it may not be easy for riders to tell if their scooter might be one of those which is vulnerable:

“It might have implications on any ride-sharing service that uses Xiaomi scooters but didn’t disable or replace Xiaomi’s bluetooth module. Moreover, Xiaomi scooters are rebranded and sold under different names, those might be affected.”

Zimperium claims it informed Xiaomi of the security vulnerability last month, but that no security update has yet been issued.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like