Story image

Security flaw in Xiaomi electric scooters could have deadly consequences

13 Feb 2019

Xiaomi’s M365 electric scooters could be something of a deathtrap for riders, after a security firm discovered security flaws in the scooters’ Bluetooth systems.

Zimperium reported in a blog this week that the M365 electric scooters use Bluetooth via a dedicated in order to manage features like cruise control, anti-theft systems, and eco-mode. While the Bluetooth system includes a password for security, the password doesn’t actually work properly.

Because of that lack of password security, an attacker could, in theory,target a rider, and then cause the scooter to suddenly brake or accelerate.  That could potentially have deadly consequences, particularly if a rider is crossing the road.

The attacker can also lock any scooter through a denial of service attack, and the attacker could also load malware that can take full control of the scooter (Zimperium responsibly chose not to disclose the malware that could do such a thing).

The company explains what the issue with the password authentication is:

“During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password. The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state. Therefore, we can use all of these features without the need for authentication.”

Zimperium demonstrates the proof-of-concept attack in a YouTube video, which shows researchers performing a remote lock on a scooter.

“We demonstrate a PoC locking the scooter using our malicious application that scans for nearby Xiaomi M365 scooters and disables them by using the anti-theft feature of the scooter – without authentication or the user consent.

"The app sends a crafted payload using the correct byte sequence to issue a command that will lock any nearby scooter in the distance of up to 100 metres away.”

Xiaomi responded to Zimperium and acknowledged that it is a known issue. Xiaomi says it has made the issue public. Because Xiaomi works with third parties, it has to work with them to create a fix.

However, it doesn’t look like Xiaomi will be issuing recalls, and the affected scooter is still being sold in New Zealand and worldwide. In New Zealand, the scooter retails for almost $700.

“Unfortunately, the scooter’s security still needs to be updated by Xiaomi (or any 3rd parties they work with) and cannot be fixed easily by the user,” Zimperium concludes.

Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Norwegian aluminium manufacturer hit hard by LockerGoga ransomware attack
“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.