sb-nz logo
Story image

Security flaw in Xiaomi electric scooters could have deadly consequences

13 Feb 2019

Xiaomi’s M365 electric scooters could be something of a deathtrap for riders, after a security firm discovered security flaws in the scooters’ Bluetooth systems.

Zimperium reported in a blog this week that the M365 electric scooters use Bluetooth via a dedicated in order to manage features like cruise control, anti-theft systems, and eco-mode. While the Bluetooth system includes a password for security, the password doesn’t actually work properly.

Because of that lack of password security, an attacker could, in theory,target a rider, and then cause the scooter to suddenly brake or accelerate.  That could potentially have deadly consequences, particularly if a rider is crossing the road.

The attacker can also lock any scooter through a denial of service attack, and the attacker could also load malware that can take full control of the scooter (Zimperium responsibly chose not to disclose the malware that could do such a thing).

The company explains what the issue with the password authentication is:

“During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password. The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state. Therefore, we can use all of these features without the need for authentication.”

Zimperium demonstrates the proof-of-concept attack in a YouTube video, which shows researchers performing a remote lock on a scooter.

“We demonstrate a PoC locking the scooter using our malicious application that scans for nearby Xiaomi M365 scooters and disables them by using the anti-theft feature of the scooter – without authentication or the user consent.

"The app sends a crafted payload using the correct byte sequence to issue a command that will lock any nearby scooter in the distance of up to 100 metres away.”

Xiaomi responded to Zimperium and acknowledged that it is a known issue. Xiaomi says it has made the issue public. Because Xiaomi works with third parties, it has to work with them to create a fix.

However, it doesn’t look like Xiaomi will be issuing recalls, and the affected scooter is still being sold in New Zealand and worldwide. In New Zealand, the scooter retails for almost $700.

“Unfortunately, the scooter’s security still needs to be updated by Xiaomi (or any 3rd parties they work with) and cannot be fixed easily by the user,” Zimperium concludes.

Story image
Trend Micro adds cloud-native container security to Cloud One Services Platform
Designed to ease the security of container builds, deployments and runtime workflows, the new service helps developers accelerate innovation and minimise application downtime across Kubernetes environments.More
Story image
Check Point exposes Android malware vendor using dark net to rebrand products
Check Point security researchers have exposed an Android malware vendor using a marketer on the dark net to rebrand its products, with the intention of supercharging business and throwing off security vendors. More
Story image
Users pay with personal data - Kaspersky on WhatsApp move to share data with Facebook
"Nothing is truly free, and, unfortunately, the current business model for free services means that, essentially, we pay with our data."More
Story image
BackupAssist partners with Wasabi for greater cyber-resilience
This partnership provides customers with an up to 80% less expensive solution that is faster than the competition for achieving enterprise-grade cyber-resilience, the company states. More
Story image
A brief history of cyber-threats — from 2000 to 2020
Many significant cybersecurity events have occurred since the year 2000 — not every one of them ‘firsts’, but all of them correlating with a change in security behaviour or protection.More
Story image
Hornetsecurity acquires Altaro, the latest in acquisition spree
The move is a culmination of a medley of acquisitions made by Hornetsecurity recently, following the January 2019 acquisition of Spamina, a Spanish cloud email security company, as well as EveryCloud, its British market partner, in early 2020.More