People keep injuring themselves on electric scooters. Some are illegally scooped down sidewalks, others are with someone else on the vehicle, breaking traffic laws, using them underage, and many are reportedly not wearing helmets. But now there is a reason to think twice before taking one of these two-wheeled contraptions for a joy ride, and it has nothing to do with your own disregard for safety: hacks.
On Tuesday, security firm Zimperium published a report detailing what researchers say are security flaws of Xiaomi's M365 scooter that makes it susceptible to hackers. Specifically, Zimperium found that these scooters have a Bluetooth password to access its features, but the password is not used properly as part of the authentication process with the scooter and that all commands can be executed without the password. a hacker could lock any M365 scooter with a denial-of-service attack, deploy malware to fully control the scooter, and remotely cause it to brake or accelerate.
The researchers were able to control a scooter from up to 1
In the video, a "hacker" targets and individual who is riding into a crosswalk, remotely causing the scooter to brake from his phone. In the description of the video, the researchers wrote that they used malware to find nearby M365 scooters, and then disabled the targeted scooter through the anti-theft feature "without authentication or the user consent."
Zimperium said in its report that it alerted Xiaomi to the security flaws but that they have yet to be patched. “Unfortunately, the scooter's security still needs to be updated by Xiaomi (or any third party they work with) and cannot be fixed easily by the user,” the researcher wrote. A Xiaomi spokesperson was the investigating the issue.
While not being familiar with the Xiaomi brand, there is a chance that their scooters used by other brands or sold under the other names pack the vulnerable components, the researchers say. .
"It might have implications on any ride-sharing service that uses Xiaomi scooters but did not disable or replace Xiaomi's bluetooth module," Rani Idan, security researcher at Zimperium, told the Verge. "Moreover, Xiaomi scooters are rebranded and sold under different names, which might be affected."
Bird, one of the leading dockless scooter companies in the US, told the Verge that its scooters are affected by the security flaw detailed. in Zimperium's report. And the other leading share-sharing company said that they don't have any M365 scooters deployed.
As it was noted, it's still unclear whether other companies might have affected scooters in their fleets, and whether they are still susceptible to this hack. People are already sent to the emergency room for human error, what we do not need to add malicious hack to what already a risky ride.