Slashdot Mirror

← Back to Stories (view on slashdot.org)

Xiaomi's Popular Electric Scooter M365 Can Be Hacked To Speed Up or Stop (wired.com)

Posted by msmash on from the internet-of-crap dept.

The fleets of electric scooters that have inundated cities are alarming enough as is. Now add cybersercurity concerns to the list: Researchers from the mobile security firm Zimperium are warning that Xiaomi's popular M365 scooter model has a worrying bug. From a report: The flaw could allow an attacker to remotely take over any of the scooters to control crucial things like, ahem, acceleration and braking. Rani Idan, Zimperium's director of software research, says he found and was able to exploit the flaw within hours of assessing the M365's security. His analysis found that the scooters contain three software components: battery management, firmware that coordinates between hardware and software, and a Bluetooth module that lets users communicate with their scooter via a smartphone app. The latter leaves the devices woefully exposed.

Idan quickly found that he could connect to the scooter via Bluetooth without being asked to enter a password or otherwise authenticate. From there, he could go a step further and install firmware on the scooter without the system checking that this new software was an official, trusted Xiaomi update. This means that an attacker could easily put malware on a scooter, giving herself full command over it. "I was able to control any of the scooter features without authentication and install malicious firmware," Idan says. "An attacker could brake suddenly, or accelerate a person into traffic, or whatever the worst case scenario you can imagine."

35 comments

  1. Bluetooth....? by Anonymous Coward · · Score: 0

    Why the fuck does a scooter need Bluetooth, how about a string of LEDs to let you know charge status and battery life like by DeWalt drill, you don't need any of this crap, just because a Bluetooth module costs 10 cents doesn't mean it should be included.

    1. Re: Bluetooth....? by Anonymous Coward · · Score: 1

      You can use their app to have a speedometer and odometer. It also lets you lock it, and get exact battery details.

      On a separate now, these are a bitch to upkeep - there is little to no repair documentation and you end up having to buy a lot of third party parts just to get them going for more than a month.

    2. Re: Bluetooth....? by Type44Q · · Score: 4, Funny

      Why the fuck does a scooter need Bluetooth,

      They needed a killer feature and the 'buttplug built into the seat' idea - a safety feature to keep you on the scooter - was determined to be too ahead of its time...

    3. Re: Bluetooth....? by Errol+backfiring · · Score: 1

      Sounds like any communicated data should be read-only. Reading out battery details is nice, but why is the brake not a mechanical feature? There should be a manual engine shut off button as a safety feature, but the ability to accelerate and brake are stupid things to have remotely. This is just a senseless attack vector waiting to be abused.

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    4. Re: Bluetooth....? by Ormy · · Score: 1

      Lets you lock it? What use is that if anyone with a Bluetooth phone can come along and unlock it with zero validation?

    5. Re: Bluetooth....? by Anonymous Coward · · Score: 0

      They needed a killer feature and the 'buttplug built into the seat' idea - a safety feature to keep you on the scooter - was determined to be too ahead of its time...

      That, and the sucking sound like a rubber boot being pulled from the mud when dismounting, and the images of goatce just caused really negative brand reactions in focus groups.

      On the other hand, it did serve to prove rule #34 as the engineers were quick to share the videos.

    6. Re: Bluetooth....? by Shotgun · · Score: 1

      It blocks the hones thieves.

      --
      Aah, change is good. -- Rafiki
      Yeah, but it ain't easy. -- Simba
    7. Re:Bluetooth....? by Anonymous Coward · · Score: 0

      To kill people. The whole point of IoT *IS* the gigantic security holes and dangers stemming from it all.
      You know how in old cyberpunk movies and game settings you can murder people by hacking them? Can entirely destroy someone's life by freezing their accounts and vehicles (and heating too why not)? Steal identities by going through the parking-meter they were forced to use at work?

      For every person who thinks "nobody would ever design something like that", there are two people in marketing telling everyone that no design would ever have vulnerabilities like that, and *twenty* people intentionally, explicitly and deliberately designing products specifically so that these things can in fact be made to happen. From common crooks to villainous corporations to oppressive governments, everyone wants IoT in your scooter.

      Everybody except YOU the customer... and they'll convince you otherwise quickly enough.

    8. Re: Bluetooth....? by Anonymous Coward · · Score: 0

      Ive done over a 1000km, the only poor feature are the air filled tires which pop to frequently. Replace them with solid tires and my 365 runs pretty well. Im calling bullshit on your third party part requirements.

    9. Re: Bluetooth....? by Anonymous Coward · · Score: 0

      There is a single rear-disc brake but the scooter also has regenerative braking which could be engaged remotely, though even with both brakes the scooter doesn't stop nearly as fast as you'd imagine.

    10. Re: Bluetooth....? by Anonymous Coward · · Score: 0

      Everything is better with Bluetooth, didn't you know that?

  2. Apps == Idiots and assholes ... by Anonymous Coward · · Score: 0

    and a Bluetooth module that lets users communicate with their scooter via a smartphone app. The latter leaves the devices woefully exposed.

    You know, I wish people would figure out this one simple fact ... if it's consumer electronics, and it involves an app, the app is going to be a steaming pile of shit which will spy on you, have piss poor security, or both.

    It will have been rushed out the door by greedy sacks of shit, little or no effort for even basic security will have been done, and it is likely designed to collect and monetize your data.

    I'm so fucking tired of this endless parade of stories about shit apps -- yes, we know, they're made by incompetent morons and pushed out the door by greedy motherfuckers.

    I refuse to buy products which are connected, because you are 100% guaranteed of them being poorly designed.

    I simply no longer have the ability to feel sorry for people who are buying this shit.

    Until companies have very severe legal liability for the quality of their apps and security, you pretty much have to assume you're not getting either of those things.

  3. genuine clean energy big comeback by Anonymous Coward · · Score: 0

    watson shorting out? will the real tesla (aka 'sparky') please turn over some leaves & stuff? no matter, good sports with good spirits prevail? 99.9*% guaranteed? see you there

  4. Shit, forgot to commit by iTrawl · · Score: 1

    # git diff --cached

    - var password = "";
    + var password = "password";

    # git commit -m "fixed security"
    # git push

    --
    "Everybody's naked underneath" -- The Doctor
    1. Re:Shit, forgot to commit by 110010001000 · · Score: 1

      Is that BASIC?

    2. Re:Shit, forgot to commit by iTrawl · · Score: 1

      I was thinking JavaScript.

      I don't remember a 'var' keyword in BASIC, and they use the colon to separate commands on the same line, not a semicolon.

      --
      "Everybody's naked underneath" -- The Doctor
  5. The Killer App! by Zorro · · Score: 1

    Joker Approved!

  6. Rani is a man by Anonymous Coward · · Score: 0

    So why would the attacker be giving herself access to the firmware? Come on and stop the PC crap!

    1. Re:Rani is a man by reboot246 · · Score: 1

      Maybe Rani sometimes identifies as a woman? There's a lot of nonsense going on out there and it seems to be getting worse. Only total war and many deaths will solve the problem.

  7. South Park did it by DontBeAMoran · · Score: 2

    https://southpark.fandom.com/w...

    --
    #DeleteFacebook
  8. More than cyber-safety issues by Roger+W+Moore · · Score: 1

    You can use their app to have a speedometer and odometer. It also lets you lock it, and get exact battery details.

    How exactly do you SAFELY use a speedometer on your phone while riding the scooter? It sounds like this sort of thing has more than just cyber-safety issues. All of these functions could be replaced by a simple LCD display for minimal cost and far safer functionality.

    1. Re:More than cyber-safety issues by Errol+backfiring · · Score: 1

      Once you checked the speedometer, you can lock it by parking into a tree.

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    2. Re:More than cyber-safety issues by drinkypoo · · Score: 1

      How exactly do you SAFELY use a speedometer on your phone while riding the scooter?

      I'd do it the same way one does it on a bicycle, with a handlebar cradle. Mind you, I don't do it on a bicycle, either. I have a three dollar cycle computer which tells me the things I might want to know all the time, like what time it is or how fast I'm going. If I were using my phone for GPS, I'd want to just keep it in my pocket, and use a bluetooth earpiece to get the navigation information.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:More than cyber-safety issues by Anonymous Coward · · Score: 0

      Wow! Dumbass alert! Check Amazon. You'll find a host of phone mounts for everything from scooters to bicycles. From bolt on to Velcro. You were actually stupid enough to think your intended to hold the phone while riding? Please, for the sake of humanity, don't vote in ANY election.

  9. Lazy and stupid ... by Anonymous Coward · · Score: 0

    Zimperium is concerned about what will happen with Idan's findings, because when the company contacted Xiaomi to disclose the bugs, the scooter maker said it is aware of the problem and doesn't have the ability to fix it on its own.

    This is apparently because Xiaomi sources its Bluetooth implementation module from another third-party developer, rather than coding it in-house.

    This is why companies need strict legal liability for security.

    So Xiaomi were stupid, lazy, and incompetent .. they farmed out the work to someone who was also stupid, lazy, and incompetent .. and now they are shipping a piece of shit technology which is so utterly broken in terms of security it's pathetic.

    Sadly, this is exactly what I've come to expect of any piece of connected technology ... complete indifference to anything resembling security.

    If you're a company who sells connected products, you should be aware of just how stupid and incompetent you are at it. If you are someone who makes the apps for connected products, you should do the world a favor and go kill yourself.

    This is why I refuse to buy anything which thinks it's a "smart" device ... because you can rest assured the company selling it are totally un-qualified to have not put out a shitty product.

    Pretty much when this shit needs to be so that if your product has a security/privacy issue, you are legally required to fix it ... and failure to do so means you have to refund the customer's money with additional damages.

    Fuck your connected product, and fuck your apps. Both of them have turned people into bigger idiots.

  10. It’s a feature! by R3d+M3rcury · · Score: 1

    Actually, I kind of like the idea...

    So I’ll write an app that will apply the brakes and slow any scooter within Bluetooth range to 5 MPH. No more worries about getting hit by some idiot on a scooter.

    Now if I could do the same thing to e-bikes and cars, we’d have a winner!

    1. Re:It’s a feature! by Anonymous Coward · · Score: 1

      So I'll write an app that will apply the brakes and slow any scooter within Bluetooth range to 5 MPH. No more worries about getting hit by some idiot on a scooter.

      Nah, do it with kind of a doppler effect ... if it's coming towards you it slows linearly ... if it's driving away from you, it accelerates.

  11. I don't know, I can imagine an awful lot. by Impy+the+Impiuos+Imp · · Score: 2

    "An attacker could brake suddenly, or accelerate a person into traffic, or whatever the worst case scenario you can imagine."

    Like a government official bans them in the name of safety, but really doing so at the behest of car companies or the bus drivers' union?

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  12. commentsubject by Anonymous Coward · · Score: 0

    >> communicate with the product via a smartphone app

    Yeah, no, fuck shit that uses this sentence.

    Don't AKSHUALLY with exceptions that leave the rule standing.

  13. Whatever worst case scenario I can imagine? by wolrahnaes · · Score: 2

    "An attacker could brake suddenly, or accelerate a person into traffic, or whatever the worst case scenario you can imagine."

    I don't know, I can imagine some pretty amazing sequences of events that would be best described as "Rube Goldberg Final Destination directed by Michael Bay" but I'd be willing to bet that in reality "accelerate a person into traffic" is as bad as it'd ever get, and even that would assume the person somehow never thought to let go of the scooter. Everything else that's actually likely basically amounts to "make scooter rider fall down".

    --
    I used to get high on life, but I developed a tolerance. Now I need something stronger.
    1. Re:Whatever worst case scenario I can imagine? by Anonymous Coward · · Score: 0

      > Everything else that's actually likely basically amounts to "make scooter rider fall down".

      Does it occur to you that the owner of Segway brand (an ex military-industrial billionaire guy) died exactly that way?

  14. What is the worst case scenario you can imagine? by MonsterMasher · · Score: 1

    ".. or whatever the worst case scenario you can imagine."

    Well - I know a challenge when I see it!

    So, What would that be?
    Maybe .. Driving over a box filled with kittens in front of a class of little kids?

  15. I'd be more impressed... by Tesseractic · · Score: 1

    If the bluetooth hack let them control the steering as well. :^)E

    - I was a perfectionist; now I'm much better - I'll compromise.