Electric scooters can be stopped or accelerated remotely because of security vulnerability
As a recent report by Zimperium is stating, Xiaomi M365 electric scooter has a vulnerability that can be life-threatening for the users. The model is using the application utilizing Bluetooth communication which relies on a password-protected system providing an opportunity to interact with the device remotely. Due to this function, the user can change the password, enable the anti-theft system, enter eco mode, cruise-control and update the firmware or view real-time riding statistics.
However, recently researchers discovered a flaw which could help the attacker send unauthentic commands over the Bluetooth connection and control the targeted vehicle. Even if a remote attacker is 100 meters away, he or she can stop or accelerate the scooter. For this and other commands, a user-defined password is not required!
The issue is related to the fact that the password is not appropriately used when the authentication process is initiated. It is required only by the application, and the scooter itself can be accessed directly without the authentication code. The official report even includes a real-time testing video showing how the attacker can disable the vehicle without any authentication.
Possible attack scenarios on Xiaomi M365
Researcher Rani Idan has analyzed this issue and showed how the application could send a crafted payload or use the correct sequence to launch the particular command on the device. The attacker can find a scooter that is nearby – up to 100 meters away. It is possible to lock the scooter or use different features.
According to Idan, these are the possible attack scenarios:
- Denial of Service attack which can be used to lock any scooter;
- Malicious firmware which can be installed to the device and used to take full control over the vehicle;
- An attacker can target any individual rider and stop or accelerate the scooter out of the sudden.
The malicious installation has also been analyzed, and PoC was developed. However, Rani Idan is not publishing this due to security issues:
We also developed a PoC for installing malicious firmware capable of accelerating the scooter – due to the safety concerns, we won’t publish this PoC.
Zimperium has already contacted Xiaomi about the discovery, and the company reported that the issue has been known internally and has already been made public. According to their response, this is a third-party cooperation problem. Xiaomi or any involved parties should update the security of this electric scooter, and there is no solution for the user.
Security vulnerabilities can lead to severe injuries or damage
Unfortunately, vulnerabilities in such devices can lead to various attacks that could end with injured riders. If the scooter is stopped out of a sudden, the rider might fall or even become a participant of a massive car crash, if it happens in busy traffic. There are numerous malicious people who could misuse this bug to target individuals or their devices.
While there is no specific comment on the issue from the company or the third-party sources which are responsible for the Bluetooth connection, all devices are at risk. Although the user can create a password for the application, it doesn't help since the system accessed directly does not require any authentication. If you are using the device, keep updating the firmware and application as Xiaomi is expected to issue the update.
You should be aware that remote access attacks can also lead to more damage than you think. There can be tons of various methods used to spread such attacks:
- Remote access Trojans – when malware is used as a first infiltration method before installing more severe cyber threat;
- Tech support scams – when attackers try to get access on your computer to steal information or banking credentials.