The electric scooter fleets that have flooded the cities are alarming enough. Let's add cybersecurity issues to the list: Zimperium mobile security company researchers warn Xiaomi's M365 scooter model of a worrying bug. The flaw could allow an attacker to take remote control of one of the scooters to control crucial tasks such as, for example, acceleration and braking.
Rani Idan, director of software research at Zimperium, said he discovered and managed to exploit the flaw a few hours after the M365 security assessment. His analysis revealed that scooters contain three software components: battery management, a firmware that coordinates hardware and software, and a Bluetooth module that allows users to communicate with their scooter via a smartphone application. The latter leaves the devices terribly exposed.
Idan quickly found that he could connect to the scooter via Bluetooth without being prompted to enter a password or to authenticate. From there, he could go further and install a firmware on the scooter without the system verifying that this new software was an official and reliable Xiaomi update. This means that an attacker could easily put a malicious program on a scooter, giving himself complete control of it.
"I was able to control all the features of the scooter without authentication and install malicious firmware," says Idan. "An attacker could suddenly brake, or speed up a person's move to traffic, or whatever the worst scenario you can imagine."
Unfortunately, issues related to implementing Bluetooth, including weak or missing authentication mechanisms, are not new in Internet-of-Things devices. Similarly, "integrity checks" to confirm the authenticity and reliability of software and firmware updates are often overlooked. But although they can cause many real risks in terms of security and confidentiality, they obviously pose particular problems with regard to devices that may endanger the physical security of the user.
"I was able to control all the features of the scooter without authentication."
Rani Idan, Zimperium
The researchers discovered a similar set of flaws in the Segway MiniPro hoverboards in 2017, but the company, which belongs to the Chinese scooter manufacturer Ninebot, has been striving to solve these problems. Zimperium worries about what's going to happen with Idan's findings, because when the company contacted Xiaomi to reveal the bugs, the scooter maker said he was aware of the problem and was not not able to repair it by itself.
This is apparently due to the fact that Xiaomi uses its Bluetooth implementation module from a third party developer rather than coding it internally. Xiaomi has not responded to several requests for comments from WIRED. But the company told Zimperium: "This is a known problem internally. The question has been made public. Being a product of cooperation with a third party, we also try to communicate solutions to us. "
In the meantime, M365 scooters are vulnerable to a range of takeover attacks. The user application that connects to scooters offers the ability to set a password to access individual devices. But when Idan created Android and iOS proof-of-principle apps to test the weaknesses, he found that the system did not require external Bluetooth connections to authenticate even once a password was entered. had been defined in the official application.
Zimperium is taking the step, perhaps controversial, to release the Android version of this proof of concept to prove the urgency of the problem and to warn as many people as possible. John Michelsen, technical director of Zimperium, says that it is the only recourse available to security researchers to motivate accountability in non-reactive IoT companies and electronics manufacturers in general.
The Xiaomi M365 scooters are a popular consumer choice and have even been used by ride-sharing companies such as Lyft and the specific Bird scooter service. A customized version of the M365 was Bird's first scooter model, but the company began phasing it out with no connection to this research.
"IoT devices are ubiquitous in our personal space, containing our most sensitive data and our daily routines," says Idan. "You would probably think that these devices would implement the best possible security protections, but unfortunately, this is not always the case."
Given the potential risks to users, it is essential that Xiaomi respond to research and find ways to implement more robust Bluetooth protections. In the meantime, keep applying official updates and, as always, wear a helmet.