Notebookcheck Logo

Update | Security researchers claim to have hacked and remotely controlled Xiaomi electric scooters

The Xiaomi M365 electric scooter. (Source: GearBest)
The Xiaomi M365 electric scooter. (Source: GearBest)
The Xiaomi M365 electric scooters is popular with ride-sharing companies such as Bird in the US. They can hire out such vehicles online thanks to the ability to remotely lock rental units as and when they need to. The research group Zimperium has claimed to be able to hi-jack this mechanism due to vulnerabilities found in Xiaomi's Bluetooth authentication procedure for the M365.

Update: A spokesperson from Bird has subsequently reached out to NBC on this matter. The company clarified that their fleet is not affected by the researchers' findings "as we use our own brains or firmware on the vehicles [in question]".

If you are in one of a growing number of US cities, zipping about on an electric scooter may look like an attractive alternative to walking from place to far-flung place. Companies such as Lime and Bird have filled this gap in the market by maintaining fleets of these vehicles, which can be hired online. This is managed through the ability to lock them remotely via Bluetooth and an app interface.

The Xiaomi M365 electric scooter is a model popular for one or two of these companies. Unfortunately, the security research group Zimperium has reported that it is possible to hack these devices. This was done due to findings that the password intended to authenticate a user was not being implemented properly at the scooter’s Bluetooth module’s end. Therefore, a third party could enact a denial-of-service (DoS) attack in order to lock the scooter themselves.

Zimperium has claimed that this remote hack can affect a Xiaomi M365 within 328 feet of the attacker. It has also noted that this vulnerability could also be used to push malware to a scooter. This situation is potentially dangerous to a user, as these hacks could cause a scooter to stop dead in traffic, as well as brake or accelerate uncontrollably.

The research group has stated that it has notified Xiaomi of this defect via the OEM’s official channels. However, a patch or update to address it has not yet been forthcoming (correct at time of writing). Lime, on the other hand, has responded publicly in order to remind users that it does not have any Xiaomi-brand scooters in its service.

Source(s)

Read all 1 comments / answer
static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2019 02 > Security researchers claim to have hacked and remotely controlled Xiaomi electric scooters
Deirdre O Donnell, 2019-02-12 (Update: 2020-01-20)