The most famous Mi Electric Scooter M365 from Xiaomi es one of the most popular electric scooters of the moment. Its excellent construction and price make the product a bestseller all over the world, and as is usual with these successful products, they also become the focus of hackers attention.
A security flaw in the Xiaomi M365 allows its remote control
The security group Zimperium has published a report in which they demonstrate that Xiaomi's scooter suffers from a vulnerability that allows you to take remote control of the device and run commands without any credentials needed for it. According to what they say, the user registration process is only necessary in the official application, however, in a direct connection with the device, no type of authentication is required, hence commands can be executed freely.
Our researchers were able to hack into one of the leading electric scooters – the Xiaomi M365 – and effectively lock, brake and/or accelerate the scooters of any passing riders. Read more about the discovery from the proof-of concept: https://t.co/w5kKAerEXJ pic.twitter.com/kcNSFuifDE
— ZIMPERIUM (@ZIMPERIUM) February 12th 2019
Once connected to the computer, the attacker could take the remote control from the scooter at a maximum distance of approximately 100 meters to execute commands such as skate lock o accelerating and braking for no apparent reason, actions that could undoubtedly cause an accident, affecting both the person riding the scooter and anyone else nearby. To do this, malware disguised as firmware would have to be installed, an operation that the scooter's Bluetooth module does not supervise at any time, so the attacker would have complete freedom to install whatever he wanted. In the video below, published by Zimperium, you can see how an application created for the occasion by the security group is capable of blocking the electric scooter from a distance.
As reported, Xiaomi has been aware of this issue for weeks, and they are currently working on a fix that will come in the form of a system update. However, everything indicates that the task will not be easy, since the bluetooth module that has been affected depends on a third-party manufacturer, so they will have to work together to launch some kind of joint solution. For now, this is all the information that is known about it, so we will have to be careful before the possible appearance of malicious applications that encourage this type of misdeed.
[RelatedNotice blank title=»These are the 5 electric scooters you can buy on Amazon»]https://eloutput.com/input/guide-compras/patinetes-electricos-amazon/[/RelatedNotice]
How to avoid the hack of your Xiaomi scooter?
Unfortunately the error affects the system level, so there is no way to prevent them from connecting to the scooter remotely. It is useless to establish a complex password through the official application, since as we have previously commented, the system does not require any type of authentication when making a direct connection. The only solution for now is to wait for the manufacturer to release the update with the security patch, so in the meantime you will have to be careful.
Actualización: We update the article with Xiaomi's official statements on the case.
Xiaomi is aware of the vulnerability that hackers with malicious intent can exploit to disrupt the operations of the Mi Electric Scooter. As soon as we found out about this vulnerability, we have been working to fix it and remove all unauthorized applications. Meanwhile, Xiaomi's product and security teams are preparing an OTA update that will be available as soon as possible. Xiaomi values feedback from our users and the security community. We are committed to constantly improving based on all feedback to build better and safer products.
2 update: From the community of users mixx.io they report that the Bluetooth connection security problem was an open secret for more than a year. This flaw was used to install homemade firmwares that allowed increasing the power of the skate, so the discovery might not seem so new. However, Zimperium's studies have shown the seriousness of the problem, and have served to understand how far one could go with such access.
In addition, this user has commented on an ingenious solution that would be used to block remote access to our skate, since it would be enough to link the skate with a device so that the connection is blocked at all times (a second device could not establish the connection), It is also possible to change the name of the device so that it pretends to be a phone with an open Bluetooth connection, something that would mislead the possible attacker.
[Thanks to M4p3x for the tip]