Zimperium found the flaw in the scooter’s Bluetooth module. Because the scooter was designed to allow users to remotely lock it on the Bluetooth app, the scooter is ultimately vulnerable to outside hacks, including remote control interference that can stop the scooters mid-ride. Zimperium demonstrated the hack by targeting random Xiaomi M365s on the street. The security experts were able to control the scooters up to 328 feet away, sending commands to the scooter while unsuspecting people were riding them. Hidden in the crowd, the security experts could take control over a scooter, slow it down, lock it down, or force it to accelerate.
Malicious hackers could theoretically target anyone they want, throwing unsuspecting riders into traffic or putting them in risky situations. Hackers could use a Denial of Service (DoS) attack to remotely lock any M365 scooter, stranding riders and causing large scale problems. Taking it a step further, hackers could even initiate a malware attack and install new firmware that would enable the hacker to take full control of the scooter while someone is riding it. Hackers can do this all right on the Bluetooth app, without password authentication, and they can do it hands-free. In fact, the security firm was able to quickly install unauthorized software, taking full control over the scooter. They were able to use all the features without the need for authentication.
People are already taking advantage of the technological vulnerability. A cheap Chinese hacking kit is reportedly being sold on the black market. The kit enables hackers to disable recovery and payment features set up by ride sharing services. In this way, the scooter can be stolen from the ride-sharing service.
The Xiaomi M365 is manufactured in China by Segway-Ninebot. This company is already dealing with defective scooter batteries that randomly burst into flames. Some of these defective scooters have been removed from the market, but the M365 is still a popular model used throughout the U.S. Ride-sharing companies such as Bird have known about the scooter's hacking vulnerabilities for over a year and have removed implicated scooters from their fleet. However, this problem could reoccur down the road if hackers continue to exploit the vulnerabilities in the wireless technology. Xiaomi scooters are sometimes rebranded and sold under different names, too, so the risk of being hacked while riding an electric scooter still remains.
According to Rani Idan, security researcher and director of platforms at Zimperium, the risk is there for “any ride-sharing service that uses Xiaomi scooters” that “didn’t disable or replace Xiaomi’s Bluetooth module.” Idan warns, “Xiaomi scooters are rebranded and sold under different names, [and] those might be affected.”
For more on technological vulnerabilities, visit CyberWar.News.