People keep injuring themselves on electric scooters. Some are illegally scooting down sidewalks, others are riding with someone else on the vehicle, breaking traffic laws, using them underage, and many are reportedly not wearing helmets. But now there’s a new reason to think twice before taking one of these two-wheeled contraptions for a joy ride, and it has nothing to do with your own disregard for safety: hacks.
On Tuesday, security firm Zimperium published a report detailing what researchers say are security flaws of Xiaomi’s M365 scooter that make it susceptible to hackers. Specifically, Zimperium found that these scooters each have a Bluetooth password to access its features, but “the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password.” That means that a hacker could lock any M365 scooter with a denial-of-service attack, deploy malware to fully control the scooter, and remotely cause it to brake or accelerate.
The researchers were able to remotely control a scooter from up to 100 meters away, and they posted a video on YouTube that shows the hack deployed in real life.
In the video, a “hacker” targets an individual who is riding into a crosswalk, remotely causing the scooter to brake from his phone. In the description of the video, the researchers wrote that they used malware to find nearby M365 scooters, and then disabled the targeted scooter through the anti-theft feature “without authentication or the user consent.”
Zimperium said in its report that it alerted Xiaomi to the security flaws but that they have yet to be patched. “Unfortunately, the scooter’s security still needs to be updated by Xiaomi (or any 3rd parties they work with) and cannot be fixed easily by the user,” the researcher wrote. A Xiaomi spokesperson told told the Verge it was investigating the issue.
While you might not be familiar with the Xiaomi brand, there’s a chance their scooters used by other brands or sold under other names pack the company’s vulnerable components, the researchers say.
“It might have implications on any ride-sharing service that uses Xiaomi scooters but didn’t disable or replace Xiaomi’s bluetooth module,” Rani Idan, security researcher at Zimperium, told the Verge. “Moreover, Xiaomi scooters are rebranded and sold under different names, those might be affected.”
Bird, one of the leading dockless scooter companies in the US, told the Verge that its scooters aren’t affected by the security flaw detailed in Zimperium’s report. And Lime, the other leading ride-sharing company, reportedly said that they don’t have any M365 scooters deployed.
As Idan noted, it’s still unclear whether other companies might have affected scooters in their fleets, and whether they are still susceptible to this hack. People are already being sent to the emergency room for human error, what we don’t need is to add malicious hack to what’s already a risky ride. [The Verge]