Xiaomi electric scooters vulnerable to remote hijacking


Electric scooters have swamped the streets of urban cities worldwide and considered an annoyance for some, may also now be considered a security and safety risk.

On Tuesday, researcher Rani Idan from San Francisco-based exploit seller Zimperium disclosed a vulnerability present in the Xiaomi M365 electric scooter which could potentially permit attackers to remotely control a vehicle, leading to issues including sudden acceleration or braking.

The problem lies in how the scooter authenticates its users, or the lack thereof.

According to Idan, passwords used to authenticate the scooter’s onboard computer systems are not being “properly used” during the authentication process, and as the password is only validated on the application side, the scooter does not monitor authentication states in itself — and so “all commands can be executed without the password.”

See also: Opening this image file grants hackers access to your Android phone

Without authentication or user consent, the researcher was able to lock the M365 through a denial-of-service (DoS) attack against the scooter’s anti-theft mechanism, as well as control braking and acceleration and lay the groundwork required to “install a new, malicious firmware that can take full control over a scooter.”

CNET: Russia may unplug from the internet to test its cyberdefenses

In order to demonstrate the vulnerability, Zimperium created a proof-of-concept (PoC) code developed as a malicious application which was able to scan for nearby Xiaomi M365 scooters and send crafted payloads to exploit the flaw.

Idan says that that vehicles up to 100 meters away can be exploited.

An attack which locks the scooter remotely can be viewed in the video below:

Security flaws which can affect the safety of Xiaomi M365 vehicles are serious enough, but it is also of note that these vehicles are also used, modified, and offered by third-party vendors through scooter rental schemes.

TechRepublic: Have tech companies taken two-factor authentication too far?

Zimperium says that Xiaomi was made aware of the findings and on 28 January 2019, the company said this was a “known issue internally” caused by “third-party products.” However, Zimperium says that the scooters are yet to be patched.

ZDNet has reached out to Xiaomi and will update if we hear back. 

Previous and related coverage

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *