Xiaomi's Popular Electric Scooter M365 Can Be Hacked To Speed Up or Stop (wired.com) 35
The fleets of electric scooters that have inundated cities are alarming enough as is. Now add cybersercurity concerns to the list: Researchers from the mobile security firm Zimperium are warning that Xiaomi's popular M365 scooter model has a worrying bug. From a report: The flaw could allow an attacker to remotely take over any of the scooters to control crucial things like, ahem, acceleration and braking. Rani Idan, Zimperium's director of software research, says he found and was able to exploit the flaw within hours of assessing the M365's security. His analysis found that the scooters contain three software components: battery management, firmware that coordinates between hardware and software, and a Bluetooth module that lets users communicate with their scooter via a smartphone app. The latter leaves the devices woefully exposed.
Idan quickly found that he could connect to the scooter via Bluetooth without being asked to enter a password or otherwise authenticate. From there, he could go a step further and install firmware on the scooter without the system checking that this new software was an official, trusted Xiaomi update. This means that an attacker could easily put malware on a scooter, giving herself full command over it. "I was able to control any of the scooter features without authentication and install malicious firmware," Idan says. "An attacker could brake suddenly, or accelerate a person into traffic, or whatever the worst case scenario you can imagine."
Idan quickly found that he could connect to the scooter via Bluetooth without being asked to enter a password or otherwise authenticate. From there, he could go a step further and install firmware on the scooter without the system checking that this new software was an official, trusted Xiaomi update. This means that an attacker could easily put malware on a scooter, giving herself full command over it. "I was able to control any of the scooter features without authentication and install malicious firmware," Idan says. "An attacker could brake suddenly, or accelerate a person into traffic, or whatever the worst case scenario you can imagine."
Re: Bluetooth....? (Score:1)
You can use their app to have a speedometer and odometer. It also lets you lock it, and get exact battery details.
On a separate now, these are a bitch to upkeep - there is little to no repair documentation and you end up having to buy a lot of third party parts just to get them going for more than a month.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It blocks the hones thieves.
More than cyber-safety issues (Score:2)
You can use their app to have a speedometer and odometer. It also lets you lock it, and get exact battery details.
How exactly do you SAFELY use a speedometer on your phone while riding the scooter? It sounds like this sort of thing has more than just cyber-safety issues. All of these functions could be replaced by a simple LCD display for minimal cost and far safer functionality.
Re: (Score:2)
Re: (Score:2)
How exactly do you SAFELY use a speedometer on your phone while riding the scooter?
I'd do it the same way one does it on a bicycle, with a handlebar cradle. Mind you, I don't do it on a bicycle, either. I have a three dollar cycle computer which tells me the things I might want to know all the time, like what time it is or how fast I'm going. If I were using my phone for GPS, I'd want to just keep it in my pocket, and use a bluetooth earpiece to get the navigation information.
Re: Bluetooth....? (Score:5, Funny)
Why the fuck does a scooter need Bluetooth,
They needed a killer feature and the 'buttplug built into the seat' idea - a safety feature to keep you on the scooter - was determined to be too ahead of its time...
South Park did it (Score:3)
https://southpark.fandom.com/w... [fandom.com]
Shit, forgot to commit (Score:2)
# git diff --cached
# git commit -m "fixed security"
# git push
Re: (Score:1)
Re: (Score:2)
I was thinking JavaScript.
I don't remember a 'var' keyword in BASIC, and they use the colon to separate commands on the same line, not a semicolon.
The Killer App! (Score:2)
Joker Approved!
Re: (Score:2)
It’s a feature! (Score:2)
Actually, I kind of like the idea...
So I’ll write an app that will apply the brakes and slow any scooter within Bluetooth range to 5 MPH. No more worries about getting hit by some idiot on a scooter.
Now if I could do the same thing to e-bikes and cars, we’d have a winner!
Re: (Score:1)
Nah, do it with kind of a doppler effect ... if it's coming towards you it slows linearly ... if it's driving away from you, it accelerates.
I don't know, I can imagine an awful lot. (Score:3)
"An attacker could brake suddenly, or accelerate a person into traffic, or whatever the worst case scenario you can imagine."
Like a government official bans them in the name of safety, but really doing so at the behest of car companies or the bus drivers' union?
Whatever worst case scenario I can imagine? (Score:3)
"An attacker could brake suddenly, or accelerate a person into traffic, or whatever the worst case scenario you can imagine."
I don't know, I can imagine some pretty amazing sequences of events that would be best described as "Rube Goldberg Final Destination directed by Michael Bay" but I'd be willing to bet that in reality "accelerate a person into traffic" is as bad as it'd ever get, and even that would assume the person somehow never thought to let go of the scooter. Everything else that's actually likely basically amounts to "make scooter rider fall down".
What is the worst case scenario you can imagine? (Score:1)
".. or whatever the worst case scenario you can imagine."
Well - I know a challenge when I see it!
So, What would that be? .. Driving over a box filled with kittens in front of a class of little kids?
Maybe
I'd be more impressed... (Score:1)
If the bluetooth hack let them control the steering as well. :^)E
- I was a perfectionist; now I'm much better - I'll compromise.