A serious design flaw in a popular electric scooter has allowed researchers to hack into it when they were up to 100 meters away – and ultimately force it to brake or speed up.
Researchers at Zimperium on Tuesday released a proof-of-concept (PoC) for the attack, which impacts Xiaomi M365 scooters. The attack allowed them to launch a denial-of-service attack; install malicious firmware that can take full control over the scooter; and cause the scooter to suddenly brake or accelerate for individual targeted riders.
While Xiaomi acknowledged the issue, the company said it still is working on an update.
“As part of our IoT research in Zimperium’s zLabs team, we looked at the Xiaomi M365 electric scooter and put it under our scope,” Rani Idan, with Zimperium, said in a Tuesday post. “Xiaomi’s scooter has a significant market share and is being used by different brands with some modifications. Bluetooth communication is utilized to manage the scooter.”
The flaw stems from a common issue in Internet of Things (IoT) devices – insecure Bluetooth communication between the scooter and its corresponding app. Idan said that the M365 scooter owners can utilize the Bluetooth-enabled app for multiple features, such as an Anti-Theft System, Cruise-Control, Eco Mode and updating the scooter’s firmware.
However, these same features have dangerous implications when the scooter is under the control of a bad actor.
Every scooter is protected by a password that can be changed by the user. However, researchers found that the password is not being used properly as part of the authentication process with the scooter – and all commands can actually be executed without the password.
“The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state,” Idan said. “Therefore, we can use all of these features without the need for authentication.”
Idan told Threatpost he made an app that scans for Xiaomi scooters nearby and attacks them. “We have app for Android but also for iOS that we will publish later,” he said.
Idan was able to scan for nearby scooters and send a crafted payload via his PoC app (available on Github). That payload then issues a command that will lock any nearby scooter in the distance of up to 100 meters away.
In a video demonstration (below), researchers showed how their proof of concept could lock a the scooter by using its anti-theft feature – without authentication or the user consent. In the video, the researchers launched the PoC assault on a scooter rider crossing a busy street, to showcase the risks of such an attack.
When researchers reached out to Xiaomi, the company said that the issue is known internally and has been made public; however, “unfortunately, the scooter’s security still needs to be updated by Xiaomi (or any third parties they work with) and cannot be fixed easily by the user,” researchers said.
Xiaomi did not respond to a request for comment from Threatpost.
The Xiaomi M365 is not the first scooter that’s been hacked – back in 2017, researchers with IOActive discovered vulnerabilities in the firmware of the Segway MiniPro, allowing them to remotely take over the scooter’s controls.
“The rise of IoT devices brings with it a world of new opportunities and convenience, and unfortunately, serious risk,” Idan said. “These risks can be found in your smart home, network devices, and even right under your feet – electric scooters, the new urban way to commute all over the world.”