{"id":14576,"date":"2019-02-12T10:45:15","date_gmt":"2019-02-12T18:45:15","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/02\/12\/news-8326\/"},"modified":"2019-02-12T10:45:15","modified_gmt":"2019-02-12T18:45:15","slug":"news-8326","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/02\/12\/news-8326\/","title":{"rendered":"The Xiaomi M365 Scooter Can Be Hacked to Speed Up or Stop"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/media.wired.com\/photos\/5c61ddef211a51764e8af2de\/master\/pass\/Mi-Electric-Scooter_FA.jpg\"\/><\/p>\n<p><strong>Credit to Author: Lily Hay Newman| Date: Tue, 12 Feb 2019 14:00:00 +0000<\/strong><\/p>\n<p><iframe loading=\"lazy\"  src=\"https:\/\/www.youtube.com\/embed\/ASygXa8UVYk\" width=\"100%\" height=\"420\" frameborder=\"0\" ><\/iframe> <\/p>\n<p>The fleets of electric <a href=\"https:\/\/www.wired.com\/story\/2018-year-of-the-scooter-what-happens-2019\/\">scooters that have inundated cities<\/a> are <a href=\"https:\/\/www.consumerreports.org\/product-safety\/e-scooter-ride-share-industry-leaves-injuries-and-angered-cities-in-its-path\/\" target=\"_blank\">alarming enough<\/a> as is. Now add cybersercurity concerns to the list: Researchers from the mobile security firm Zimperium are warning that Xiaomi\u2019s popular M365 scooter model has a worrying bug. The flaw could allow an attacker to remotely take over any of the scooters to control crucial things like, ahem, acceleration and braking.<\/p>\n<p class=\"paywall\">Rani Idan, Zimperium\u2019s director of software research, says he found and was able to exploit the flaw within hours of assessing the M365\u2019s security. His analysis found that the scooters contain three software components: battery management, firmware that coordinates between hardware and software, and a Bluetooth module that lets users communicate with their scooter via a smartphone app. The latter leaves the devices woefully exposed.<\/p>\n<p class=\"paywall\">Idan quickly found that he could connect to the scooter via Bluetooth without being asked to enter a password or otherwise authenticate. From there, he could go a step further and install firmware on the scooter without the system checking that this new software was an official, trusted Xiaomi update. This means that an attacker could easily put malware on a scooter, giving herself full command over it.<\/p>\n<p class=\"paywall\">\u201cI was able to control any of the scooter features without authentication and install malicious firmware,\u201d Idan says. \u201cAn attacker could brake suddenly, or accelerate a person into traffic, or whatever the worst-case scenario you can imagine.\u201d<\/p>\n<p class=\"paywall\">Unfortunately, <a href=\"https:\/\/www.wired.com\/story\/turn-off-bluetooth-security\/\">issues with Bluetooth implementation<\/a>, especially weak or missing authentication mechanisms, are nothing new in internet-of-things devices. Similarly, \u201cintegrity checks\u201d to confirm the authenticity and trustworthiness of software and firmware updates are often overlooked. But while they can lead to all sorts of real privacy and security risks in general, they are obviously especially problematic in devices that can endangers a user&#x27;s physical safety.<\/p>\n<p>\u201cI was able to control any of the scooter features without authentication.&quot;<\/p>\n<p name=\"inset-left\" class=\"inset-left-component__el\">Rani Idan, Zimperium<\/p>\n<p class=\"paywall\">Researchers found a <a href=\"https:\/\/www.wired.com\/story\/segway-minipro-hack\/\">similar set of flaws<\/a> in Segway MiniPro hoverboards in 2017, but the company, which is owned by Chinese scooter-maker Ninebot, worked to fix the problems. Zimperium is concerned about what will happen with Idan\u2019s findings, because when the company contacted Xiaomi to disclose the bugs, the scooter maker said it is aware of the problem and doesn\u2019t have the ability to fix it on its own.<\/p>\n<p class=\"paywall\">This is apparently because Xiaomi sources its Bluetooth implementation module from a third-party developer rather than coding it in-house. Xiaomi did not respond to multiple requests for comment from WIRED. But the company told Zimperium that \u201cthis is a known issue internally. The issue has been made public. Because it is a third-party cooperation product we are also trying to communicate solutions to each other.\u201d<\/p>\n<p class=\"paywall\">In the meantime, M365 scooters are vulnerable to an array of takeover attacks. The user app that connects to the scooters does offer the option to set a password for accessing individual devices. But when Idan created proof-of-concept Android and iOS apps to test the weaknesses, he found that the system doesn&#x27;t require outside Bluetooth connections to authenticate even once a password has been set up in the official app.<\/p>\n<p class=\"paywall\">Zimperium is taking the perhaps controversial step of publishing the Android version of this proof of concept in an attempt to prove the problem&#x27;s urgency and warn as many people as possible. Zimperium chief technology officer John Michelsen argues that it is the only recourse security researchers have to motivate accountability in unresponsive IoT companies and electronics manufacturers in general.<\/p>\n<p class=\"paywall\">Xiaomi M365 scooters are a popular consumer choice and have even been used by ride-sharing companies like Lyft and the scooter-specific service Bird. A customized version of the M365 was Bird&#x27;s first scooter model, but the company has begun phasing it out unrelated to this research.<\/p>\n<p class=\"paywall\">\u201cIoT devices are everywhere\u2014in our personal space, holding our most sensitive data, and in our daily routines,\u201d Idan says. \u201cYou would probably think those devices would implement the best security protections possible, but unfortunately that is not always the case.\u201d<\/p>\n<p class=\"paywall\">Given the potential risk to users, it&#x27;s crucial for Xiaomi to respond to the research and find a way to issue stronger Bluetooth protections. In the meantime, keep applying official updates and, as always, wear a helmet.<\/p>\n<p class=\"related-cne-video-component__dek\">Using Bluetooth and firmware authentication hacks to steer a Segway\/Ninebot MiniPRO Hoverboard from afar and even turn it off while a rider is on it. Researcher Thomas Kilbride, an embedded devices security consultant at IOActive, was able to further weaponize these attacks using a now-disabled GPS tracking feature that surfaced location data for MiniPRO Hoverboard users in a given area.<\/p>\n<p><a href=\"https:\/\/www.wired.com\/story\/xiaomi-scooter-hack\" target=\"bwo\" >https:\/\/www.wired.com\/category\/security\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/media.wired.com\/photos\/5c61ddef211a51764e8af2de\/master\/pass\/Mi-Electric-Scooter_FA.jpg\"\/><\/p>\n<p><strong>Credit to Author: Lily Hay Newman| Date: Tue, 12 Feb 2019 14:00:00 +0000<\/strong><\/p>\n<p>A hacker can accelerate Xiaomi M365 scooter\u2014or hit the breaks\u2014while a rider is on it.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10607],"tags":[714],"class_list":["post-14576","post","type-post","status-publish","format-standard","hentry","category-security","category-wired","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14576","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=14576"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14576\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=14576"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=14576"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=14576"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}