Xiaomi electric scooters vulnerable to remote hijacking

Updated: Researchers say the vehicle’s authentication protocols leave much to be desired.

Electric scooters have swamped the streets of urban cities worldwide and considered an annoyance for some, may also now be considered a security and safety risk.

On Tuesday, researcher Rani Idan from San Francisco-based exploit seller Zimperium disclosed a vulnerability present in the Xiaomi M365 electric scooter which could potentially permit attackers to remotely control a vehicle, leading to issues including sudden acceleration or braking.

The problem lies in how the scooter authenticates its users, or the lack thereof.

According to Idan, passwords used to authenticate the scooter's onboard computer systems are not being "properly used" during the authentication process, and as the password is only validated on the application side, the scooter does not monitor authentication states in itself -- and so "all commands can be executed without the password."

See also: Opening this image file grants hackers access to your Android phone

Without authentication or user consent, the researcher was able to lock the M365 through a denial-of-service (DoS) attack against the scooter's anti-theft mechanism, as well as control braking and acceleration and lay the groundwork required to "install a new, malicious firmware that can take full control over a scooter."

CNET: Russia may unplug from the internet to test its cyberdefenses

In order to demonstrate the vulnerability, Zimperium created a proof-of-concept (PoC) code developed as a malicious application which was able to scan for nearby Xiaomi M365 scooters and send crafted payloads to exploit the flaw.

Idan says that that vehicles up to 100 meters away can be exploited.

An attack which locks the scooter remotely can be viewed in the video below:

Security flaws which can affect the safety of Xiaomi M365 vehicles are serious enough, but it is also of note that these vehicles are also used, modified, and offered by third-party vendors through scooter rental schemes.

TechRepublic: Have tech companies taken two-factor authentication too far?

Zimperium says that Xiaomi was made aware of the findings and on 28 January 2019, the company said this was a "known issue internally" caused by "third-party products." However, Zimperium says that the scooters are yet to be patched.

Update 14.51 GMT: A Xiaomi spokesperson told ZDNet:

"Xiaomi is aware of the vulnerability which hackers with malicious intent might exploit to interrupt the operations of Mi Electric Scooter. As soon as we found out about this vulnerability, we have been working to fix it and taking down all unauthorized applications. 

In the meantime, an OTA (over-the-air) update is being prepared by Xiaomi's product and security teams, and will be available as soon as possible. Xiaomi values feedback from our users and the security community, we are committed to constantly improve based on all feedback so as to build better and safer products."

Previous and related coverage