Joyride Hack Steals Control of Scooter Hoverboard
Falling off a hoverboard is most often caused by the rider’s loss of balance or lack of skill. In the case of the Ninebot by Segway miniPRO, a security researcher has discovered vulnerabilities that would knock a rider off due to a remote attack. The flaws could be exploited to take complete control of the scooter and even drive it away from the owner.
Segway miniPRO is a self-balancing transporter that integrates features controllable from a mobile application, through a Bluetooth connection authenticated with a personal identification number (PIN). Once communication with the scooter has been established, the owner can change safety features, update the firmware, check diagnostics, command the scooter to move and activate the anti-theft lock. However, Thomas Kilbride of IOActive found the hoverboard can be controlled without the PIN.
“By intercepting communication between the scooter and mobile application, it was determined that Personal Identification Number (PIN) authentication was not required to establish a connection,” reads the security advisory. This was accomplished using Nordic UART, an Android app that connects to Bluetooth devices with a custom Nordic Semiconductor UART service, such as Ninebot by Segway miniPRO. An attacker could use this app to change the authentication PIN and connect to the scooter with the official Ninebot application, while cutting off the owner’s remote-control privileges.
Kilbridge’s research also revealed the firmware update process ran completely unprotected, with no verification of code integrity or legitimacy, and over an unencrypted channel. Only the domain source was validated, but this could be spoofed by an attacker. Rogue firmware was thus easily uploaded to the scooter, giving the researcher full control. A video below shows what an attacker can do by exploiting the vulnerabilities sniffed out in the miniPRO.
The recommendations for the manufacturer to solve the security problems uncovered by Kilbridge are common sense and should be integrated as a minimum precaution by any vendor of connected things. A secure update mechanism and encrypted communication between the product and its managing app are of utmost importance; applied to devices controlled via Bluetooth, authentication should be done with a pre-shared key and the connection should be governed by pairing mode limitations.
Ninebot has responded to the vulnerability disclosure by releasing a new firmware update (version 3.20) promising to address the critical issues.
Image credit: Ninebot by Segway miniPROauthentication Bluetooth IoT miniPRO Ninebot hoverboard Segway vulnerability