bird hacked xiaomi electric scooters town city cybersecurity security news hacked hijacked awareness training

Caution! Electric Scooters Can Be Hacked!

In many cities, electric scooters are only a few steps away. These nifty speed racers are the latest way to get around town, but watch out! Some scooters are prone to being hacked!

Scooting Around Town

bird hacked xiaomi electric scooters town city cybersecurity security news hacked hijacked awareness training

Electric scooters, seen as a nuisance to some but a convenience to others, are scattered all over cities in the United States as the fastest way to zip through town. Download an app on your phone, scan the barcode, and you are good to go! As goes for all Internet of Things, there may be some safety concerns such as your electric scooter being hacked and remotely controlled while you are catching speed.

Forbes security contributor, Lee Mathews, elaborates how dangerous these scooters can be in his article Hackers Can Remotely Hijack Electric Scooters While You Ride:

bird hacked xiaomi electric scooters town city cybersecurity security news hacked hijacked awareness training

Electric scooter sharing services spread like wildfire in 2018. The zippy two-wheelers have been in the headlines many times over the past several months due to safety issues. Some models were abruptly stopping and throwing riders off. Now a serious software issue has been discovered in another electric scooter.

Xiaomi Scooters

The Xiaomi M365, also known as Bird & Spin, can be hacked and made to accelerate or stop by the attacker. The hacker doesn’t even need physical access to the scooter. This hack can be performed wirelessly from as far as 110 yards away.

Remote Control Access to Scooters

Threat researchers at Zimperium published a proof-of-concept this week that details how they were able to gain control of the M365. Like many popular electric scooters, the M365 uses Bluetooth to communicate with a companion mobile app.

The app allows users to do things like turn on anti-theft features and activate a power-saving mode. It also lets M365 owners update the firmware of their scooters.

Lack of Password Security

bird hacked xiaomi electric scooters town city cybersecurity security news hacked hijacked awareness training

Normally you’d have to enter a password to perform a firmware upgrade, and the M365 does ask users to choose their own password instead of rolling with an easy-to-guess default. Zimperium discovered, however, that the scooter wasn’t properly validating passwords before following instructions.

That allowed Zimperium researchers to do whatever they wanted. “We can use all of these features without the need for authentication,” noted Director of Platforms Research Rani Idan.

Denial of Service Attack

bird hacked xiaomi electric scooters town city cybersecurity security news hacked hijacked awareness training

Using a denial-of-service attack (similar to the kind of attacks that have knocked major websites and even an entire country offline), Zimperium was able to remotely lock any nearby  M365 scooters. A specific scooter could be targeted and forced to accelerate or stop. In a worst-case scenario, they even figured out how to replace Xiaomi’s original firmware with a modified — and potentially malicious — version.

Zimperium has reported the issue to Xiaomi, but no fix has been issued yet. In the meantime, Zimperium suggests keeping the Bluetooth connection between your smartphone and the scooter alive while you ride. Doing so can prevent a hacker from taking control.

Mathews, Lee. “Hackers Can Remotely Hijack Electric Scooters While You Ride.” Forbes, 14 Feb. 2019.

  • 3
  •  
  •  
  •  
  •  
  •  
    3
    Shares