15 February 2019
The market of electronic scooters or smart scooters is picking up at a fast pace. These smart e-vehicles are helpful in daily commute and can be controlled via a mobile app, however, they are also susceptible to cyber attacks in case proper security measures are not taken. One such serious security flaw in the Xiaomi M365 scooter has been identified by the researchers from the mobile security firm Zimperium.
The flaw, as per Zimperium, is quite serious in nature and not only allows hackers to remotely take control of any e-Scooters from Xiaomi and but also lets them increase or decrease the speed as well as apply brakes on the scooter raising severe doubts on the rider’s safety.
Researchers suggest that these scooters have three main components battery management, firmware that coordinates between hardware and software, and a Bluetooth module which allows users to communicate with the scooter via the smartphone app. Zimperium’s researchers were able to exploit the Bluetooth connection easily by breaching the scooter's security.
Rani Idan, Zimperium’s director of software research mentioned that not only he was able to connect to the Xiaomi M365 scooter without being asked for any authentication or passwords but was able to install a new firmware as well. The system would not even check if the firmware was an authentic Xiaomi firmware giving total access of the scooter to the hackers.
“I was able to control any of the scooter features without authentication and install malicious firmware. An attacker could brake suddenly, or accelerate a person into traffic, or whatever the worst-case scenario you can imagine.”
“IoT devices are everywhere—in our personal space, holding our most sensitive data, and in our daily routines. You would probably think those devices would implement the best security protections possible, but unfortunately, that is not always the case.” said Idan.
IoT devices have had security and integrity issues in the past as well coupled with the weak or missing authentication mechanism. These authentication issues are also found while verifying the firmware updates of the device. Earlier, researchers found similar vulnerabilities in Segway Mini Pro hoverboards which were quickly fixed.
The possibility of unauthorized personnel getting total control over the Xiaomi e-scooter poses a serious threat to the user's privacy as well as puts the safety of the rider in risk as well. Xiaomi’s M365 scooters are very popular and are being used by ride-sharing apps like Lyft and Bird.
These vulnerabilities pose a huge risk to the users and we really hope that Xiaomi not only fixes these bugs for the current generation scooters but also implements better security measures in other devices too.