sb-as logo
Story image

Security flaw in Xiaomi electric scooters could have deadly consequences

13 Feb 2019

Xiaomi’s M365 electric scooters could be something of a deathtrap for riders, after a security firm discovered security flaws in the scooters’ Bluetooth systems.

Zimperium reported in a blog this week that the M365 electric scooters use Bluetooth via a dedicated in order to manage features like cruise control, anti-theft systems, and eco-mode. While the Bluetooth system includes a password for security, the password doesn’t actually work properly.

Because of that lack of password security, an attacker could, in theory,target a rider, and then cause the scooter to suddenly brake or accelerate.  That could potentially have deadly consequences, particularly if a rider is crossing the road.

The attacker can also lock any scooter through a denial of service attack, and the attacker could also load malware that can take full control of the scooter (Zimperium responsibly chose not to disclose the malware that could do such a thing).

The company explains what the issue with the password authentication is:

“During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password. The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state. Therefore, we can use all of these features without the need for authentication.”

Zimperium demonstrates the proof-of-concept attack in a YouTube video, which shows researchers performing a remote lock on a scooter.

“We demonstrate a PoC locking the scooter using our malicious application that scans for nearby Xiaomi M365 scooters and disables them by using the anti-theft feature of the scooter – without authentication or the user consent.

"The app sends a crafted payload using the correct byte sequence to issue a command that will lock any nearby scooter in the distance of up to 100 metres away.”

Xiaomi responded to Zimperium and acknowledged that it is a known issue. Xiaomi says it has made the issue public. Because Xiaomi works with third parties, it has to work with them to create a fix.

However, it doesn’t look like Xiaomi will be issuing recalls, and the affected scooter is still being sold in New Zealand and worldwide. In New Zealand, the scooter retails for almost $700.

“Unfortunately, the scooter’s security still needs to be updated by Xiaomi (or any 3rd parties they work with) and cannot be fixed easily by the user,” Zimperium concludes.

Story image
State-based cyber attack targeting Australian government and businesses
Prime Minister Scott Morrison told media on Friday morning that a 'malicious' attack by a state-based cyber actor is underway in the country.More
Link image
Say goodbye to shadow IT with Cloudera Data Platform
Get full visibility into all your data and its lifecycle, while managing infrastructure and analytic workloads across hybrid and multi-cloud environments.More
Story image
Rackspace and Cloudflare join forces for managed edge security
Rackspace and Cloudflare join forces for managed edge security The solution includes a web application firewall, DDoS protection, DNS services and a global content delivery network, backed by 24/7 support.More
Download image
NFV touted as go-to method of simplifying corporate networks
Enterprises outline their considerations in this study, built on evidence from those directly involved with building a strong networking infrastructure.More
Story image
Illumio launches Zero Trust endpoint protection solution for our digital, remote world
“As organisations were forced to transform overnight to allow for remote work, a host of endpoint security issues that have either been ignored or invisible until now were brought to the forefront."More
Story image
Australians ignoring cybersecurity policies in favour of productivity
Trend Micro has found that 67% of remote workers have increased their cybersecurity awareness during COVID-19 related lockdowns. However, despite greater awareness people may still engage in risky behaviour, the survey finds.More