Xiaomi Electric Scooter Reportedly Vulnerable To Hijacking Hack

xiaomi-mi-spin-bird-electric-scooter

The Xioami M365 has a flaw that could allow a hacker to hijack control of the vehicle, a security researcher says.

Sean Hollister/CNET

A flaw in a popular electric scooter has added to the list of safety concerns surrounding the devices, which have invaded several US cities in the past year.

The Xiaomi M365 is an electric scooter used by some scooter rental companies that contains a flaw that could allow a hacker to take full remote control over the vehicle, including causing the scooter to suddenly accelerate or brake, according to information released Tuesday by security research group Zimperium. The firm blames the scooter’s password authentication process, which is done via Bluetooth communications.

“During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password,” Zimperium said in a statement. “The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state.”

Researchers said they were able to interact with the device’s anti-theft system, cruise control and eco mode, as well as update its firmware, without required authentication.

Zimperium published a proof-of-concept video showing its app scanning for nearby Xiaomi scooters and disabling them through their anti-theft feature. The app will work on any M365 within a radius of about 328 feet (100 meters), Zimperium said.

The hack adds to the concerns surrounding rentable e-scooters, which have become a controversial topic as they show up in more US cities and regulators hurry to write laws around the new form of transportation. Some people say they love being able to scoot block-to-block around congested cities. Others complain that riders endanger pedestrians by ignoring traffic laws, riding on sidewalks and leaving the scooters wherever they feel like it.

The flaw Zimperium discovered is similar to one discovered afflicting a Segway hoverboard in 2017. IOActive found it could gain full remote access to the hoverboard by manually sending commands to the Segway app through Bluetooth updates without the need for authentication.

Zimperium said it informed Xiaomi of the flaw. Xiaomi didn’t immediately respond to a request for comment.

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad services that will change your life.

READ MORE HERE