Today, CNET reported the Xiaomi M365 electric scooter has a loophole that may allow hackers to remotely control it. Say, the scooter can suddenly accelerate or suddenly brake. The source believes that the problem is in the scooter’s password verification process, which is done via Bluetooth.
‘During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password. The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state.’ This is the official statement coming our way from zimperium.
Researchers say they can interact with the scooter’s anti-theft system, the navigation system, and eco-mode without having to verify and update the device firmware. zimperium also released a proof-of-concept video demonstrating its application to scan the nearby Xiaomi M365 electric scooter and disable the vehicle with their anti-theft feature. According to zimperium, the application is effective for any scooter from this family in a radius of 100 meters.
The vulnerability further increases concerns about rentable electric scooters. As these scooters continue to emerge in major US cities, and regulators rush to introduce laws to deal with this new mode of transportation, the controversy surrounding this product is growing. Many people are more willing to ride scooters across the blocks in the congested cities. Opponents believe that the rider usually ignores the traffic rules and uses scooters on the sidewalk, thus endangering pedestrian safety and parking the vehicle at will.
Also Read: Are Electric Scooters Safe?
However, this is not anything new. The vulnerability discovered by zimperium is similar to the vulnerability found on the 2017 Segway hoverboard. IOActive found that it can manually send commands to the Segway to remotely suspend the skateboard by updating to Bluetooth, without authentication.
zimperium said it has already notified Xiaomi of the vulnerability, but Xiaomi has not responded to the message immediately.