In many cities, electric scooters are only a few steps away. These nifty speed racers are the latest way to get around town, but watch out! Some
Scooting Around Town
Electric scooters, seen as a nuisance to some but a convenience to others, are scattered all over cities in the United States as the fastest way to zip through town. Download an app on your phone, scan the barcode, and you
Forbes security contributor, Lee Mathews, elaborates how dangerous these scooters can be in his article Hackers Can Remotely Hijack Electric Scooters While You Ride:
Electric scooter sharing services spread like wildfire in 2018. The zippy two-wheelers have been in the headlines many times over the past several months due to safety issues. Some models were abruptly stopping and throwing riders off. Now a serious software issue has been discovered in another electric scooter.
The Xiaomi M365, also known as Bird &
Remote Control Access to Scooters
Threat researchers at Zimperium published a proof-of-concept this week that details how they were able to gain control of the M365. Like many popular electric scooters, the M365 uses Bluetooth to communicate with a companion mobile app.
The app allows users to do things like turn on anti-theft features and activate a power-saving mode. It also lets M365 owners update the firmware of their scooters.
Lack of Password Security
Normally you’d have to enter a password to perform a firmware upgrade, and the M365 does ask users to choose their own password instead of rolling with an easy-to-guess default. Zimperium discovered, however, that the scooter wasn’t properly validating passwords before following instructions.
That allowed Zimperium researchers to do whatever they wanted. “We can use all of these features without the need for authentication,” noted Director of Platforms Research Rani Idan.
Denial of Service Attack
Using a denial-of-service attack (similar to the kind of attacks that have knocked major websites and even an entire country offline), Zimperium was able to remotely lock any nearby M365 scooters. A specific scooter could be targeted and forced to accelerate or stop. In a worst-case scenario, they even figured out how to replace Xiaomi’s original firmware with a modified — and potentially malicious — version.
Zimperium has reported the issue to Xiaomi, but no fix has been issued yet. In the meantime, Zimperium suggests keeping the Bluetooth connection between your smartphone and the scooter alive while you ride. Doing so can prevent a hacker from taking control.
Mathews, Lee. “Hackers Can Remotely Hijack Electric Scooters While You Ride.” Forbes, 14 Feb. 2019.