Update | Security researchers claim to have hacked and remotely controlled Xiaomi electric scooters
Update: A spokesperson from Bird has subsequently reached out to NBC on this matter. The company clarified that their fleet is not affected by the researchers' findings "as we use our own brains or firmware on the vehicles [in question]".
If you are in one of a growing number of US cities, zipping about on an electric scooter may look like an attractive alternative to walking from place to far-flung place. Companies such as Lime and Bird have filled this gap in the market by maintaining fleets of these vehicles, which can be hired online. This is managed through the ability to lock them remotely via Bluetooth and an app interface.
The Xiaomi M365 electric scooter is a model popular for one or two of these companies. Unfortunately, the security research group Zimperium has reported that it is possible to hack these devices. This was done due to findings that the password intended to authenticate a user was not being implemented properly at the scooter’s Bluetooth module’s end. Therefore, a third party could enact a denial-of-service (DoS) attack in order to lock the scooter themselves.
Zimperium has claimed that this remote hack can affect a Xiaomi M365 within 328 feet of the attacker. It has also noted that this vulnerability could also be used to push malware to a scooter. This situation is potentially dangerous to a user, as these hacks could cause a scooter to stop dead in traffic, as well as brake or accelerate uncontrollably.
The research group has stated that it has notified Xiaomi of this defect via the OEM’s official channels. However, a patch or update to address it has not yet been forthcoming (correct at time of writing). Lime, on the other hand, has responded publicly in order to remind users that it does not have any Xiaomi-brand scooters in its service.