Zimperium's Mobile Security Blog

Don’t Give Me a Brake – Xiaomi Scooter Hack Enables Dangerous Accelerations and Stops for Unsuspecting Riders

This proof-of-concept (PoC) is released for educational purposes and evaluation by researchers, and should not be used in any unintended way. Furthermore, this PoC and any other related material has been published only after disclosing it to Xiaomi

Researcher: Rani Idan (@RaniXCH)

 

**UPDATE: Subsequent to the initial disclosure/posting, zLabs discovered a temporary mitigation solution. That solution is outlined near the bottom of this post.**

The rise of IoT devices brings with it a world of new opportunities and convenience, and unfortunately, serious risk. These risks can be found in your smart home, network devices, and even right under your feet  – electric scooters, the new urban way to commute all over the world.

This is why Zimperium takes IoT security seriously, and why we are working closely with vendors and manufacturers alike to increase security on IoT.

As part of our IoT research in Zimperium’s zLabs team, we looked at the Xiaomi M365 electric scooter and put it under our scope.

Xiaomi’s scooter has a significant market share and is being used by different brands with some modifications. Bluetooth communication is utilized to manage the scooter.

The Bluetooth access allows the user to interact with the scooter for multiple features such as an Anti-Theft System, Cruise-Control, Eco Mode and updating the scooter’s firmware. To access those features the user can use a dedicated app, and every scooter is protected by a password that can be changed by the user.

During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password. The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state.

Therefore, we can use all of these features without the need for authentication.

In the video below, we demonstrate a PoC locking the scooter using our malicious application that scans for nearby Xiaomi M365 scooters and disables them by using the anti-theft feature of the scooter – – without authentication or the user consent.

The app sends a crafted payload using the correct byte sequence to issue a command that will lock any nearby scooter in the distance of up to 100 meters away.

Utilizing what we learned from the command channel of the scooter, these attack scenarios can be leveraged:

  • Denial of Service attack – Lock any M365 scooter
  • Deploy Malware – Install a new malicious firmware that can take full control over the scooter.
  • Targeted Attack – Target an individual rider and cause the scooter to suddenly brake or accelerate.

We also developed a PoC for installing malicious firmware capable of accelerating the scooter – due to the safety concerns, we won’t publish this PoC.

You can find the lock app sources here

Temporary Mitigation

In order to prevent an attacker from connecting to the M365 scooter remotely, it is possible to use Xiaomi’s application from your mobile before riding and connect to the scooter, once your mobile is connected and kept connected to the scooter an attacker won’t be able to remotely flash malicious firmware or lock your scooter.

Disclosure

The security concern was reported to Xiaomi and is attached below.

Xiaomi’s response to our disclosure.

Unfortunately, the scooter’s security still needs to be updated by Xiaomi (or any 3rd parties they work with) and cannot be fixed easily by the user.

 

Kudos to my colleagues @OriHCX, @_coreDump and Sagi Strauss for brilliant ideas and contribution.