Beware, Xiaomi M365 scooters riders, as security researchers say the scooters can be remotely hacked from up to 100 meters away to slam on the brakes or to accelerate.
Security researchers from Zimperium’s zLabs published a video showing their proof-of-concept (PoC) capable of disabling the scooter. In the PoC, the attacker connects to the scooter via Bluetooth and uses the its anti-theft feature without user consent or authentication.
Various attack scenarios listed by Zimperium include locking the scooter via a denial-of-service attack, installing malicious firmware to gain complete control of the scooter, as well as targeted attacks on a specific rider to accelerate or suddenly brake.
In the accompanying report, Zimperium wrote:
The Bluetooth access allows the user to interact with the scooter for multiple features such as an Anti-Theft System, Cruise-Control, Eco Mode and updating the scooter’s firmware. To access those features the user can use a dedicated app, and every scooter is protected by a password that can be changed by the user.
During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password. The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state.
Therefore, we can use all of these features without the need for authentication.
Xiaomi, whose scooters are also used by different brands, was notified about the security flaw, but Zimperium warned that scooters will need a security update and cannot be easily fixed by users.
More IoT security news
Internet Society joins Mozilla in putting Walmart, Amazon, Best Buy, and Target on notice about insecure IoT
Speaking of IoT and the never-ending flow of flaws that come to light, the Internet Society joined with the Mozilla Foundation on calling for big retailers such as Walmart, Best Buy, Amazon, and Target to adhere to a set of minimum IoT security standards.
Examples of IoT devices paying the price for ignoring security and privacy include the easily hackable CloudPets, which were yanked off retailers’ shelves last year, and the EU’s recent recall of the Enox Safe-Kid-One smartwatch. That’s certainly better than nothing, but it seems we can hardly go a full week without hearing about some other device being hacked or leaking sensitive data.
Mozilla, the Internet Society, and nine other organizations make the point that if retailers decide to drop internet-connected devices that have shoddy-to-no security and no regard to privacy when it comes to collecting data, then vendors will make improvements to get their products back on the shelves. Consumers should be able to trust that these big retailers are selling products that won’t compromise their privacy and security. If the retailers agree, then it can help “to build a more secure, connected future.”
The letter to retailers includes a list of five minimum security and privacy standards: the use of encrypted communications; automatic security updates; required strong passwords that must replace default passwords upon initial setup of the device; vulnerability management, so flaws can be reported; and privacy practices that include having easily accessible and easily understood privacy policies. “Signing on to these minimum guidelines is the first step to turn the tide, and build trust in this space,” the letter to retailers reads.
Privacy not included Valentine’s Day IoT guide
The Mozilla Foundation has also compiled a Valentine’s Day guide of “romantic products” for which “privacy is not included.” Because the data collected from beds to sex toys and more is “deeply personal,” Mozilla noted, “it must remain private and secure. Sex toys are great for promoting intimacy and sexual health. Those same devices aren’t so fun if hacked.”