Security vulnerabilities in Segway hoverboard software could be exploited to remotely monitor the location of users, lock them out of their vehicles, or bring the device to a halt and cause the rider to fall off, according to security researchers.
Using reverse engineering, researchers at IOActive found it was possible to intercept communications between the Ninebot by Segway miniPRO hands-free, two-wheel electric scooter and its companion mobile application to carry out attacks.
The company found that an attacker could connect to Ninebot scooters using a modified version of Nordic UART, a propriety Bluetooth service, and reverse engineer the scooter's communications protocol -- the same system used for remote control and configuration settings -- using a Bluetooth sniffer. The user's PIN authentication wasn't needed to establish a connection in this case.
IOActive was able to reverse engineer the firmware update mechanism, discovering that Ninebot didn't do an integrity check before accepting a firmware update. This could allow attackers to have their own firmware uploaded instead, enabling them to modify the behaviour of the device.
Attackers could potentially change the user's PIN number and upload a firmware update, locking them out of their device. A hacker could also change the LED colours or disable the scooter's motor while in use, bringing it to a sudden stop.
"As long as they have a device with Bluetooth, [attackers] can send commands to the hoverboard and use any of these exploits. They don't need a hoverboard to perform the attacks, but they need to perform the firmware update," said Kilbridge.
Nearby Segways could even be located using the Ninebot app, as it indexes the location of riders in the area and makes the information publicly available.
"As you rode the hoverboard, your phone's GPS would upload your location data to Segway servers and it'd be periodically exposed publicly. This makes it easier to weaponise an exploit like this," Thomas Kilbridge, the IOActive security researcher who found the vulnerability, told ZDNet.
IOActive has disclosed the vulnerabilities to Segway and its parent company Ninebot, and the scooter manufacturer has subsequently updated the application to ensure the security vulnerabilities have been fixed.
The company has implemented firmware integrity checking, ensured the use of Bluetooth pre-shared key authentication or PIN authentication as well as the use of strong encryption for wireless communications, and a pairing mode as the sole way to pair a scooter with a phone.
The Ninebot app has also been updated to protect rider privacy by not exposing their location to others. IOActive praised the company for being "very responsive" for working with it and fixing the vulnerabilities.
"It's important for consumers to be aware of the connectability of the devices that they own," said Kilbridge.
"From the manufacturer's standpoint, it's important for safety-critical devices like this that security be checked routinely and maybe even regulations put in place to make sure that a vulnerability like this isn't in the wild before being sold on the market," he added.