Connecting state and local government leaders
A cybersecurity firm showed they could take control of an e-scooter someone was riding from up to 100 meters.
A report released Tuesday showed how hackers could take control of a particular model of e-scooter, including braking and acceleration, from up to 100 meters away.
According to the report by the cybersecurity firm Zimperium, they were able to use Bluetooth “to interact with the scooter for multiple features such as an Anti-Theft System, Cruise-Control, Eco Mode and updating the scooter’s firmware.”
“During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password,” Zimperium researcher Rani Idan wrote in his report.
A video purportedly shows a Zimperium hacker using a “malicious application” scan for nearby Xiaomi M365 scooters and stopping one them using the scooter’s anti-theft feature.
The scooter in question, the Xiaomi M365 electric scooter, made up the first generation fleet for the e-scooter company Bird. While many of those scooters are still in use, a Bird spokesperson told Route Fifty their scooters were never affected by the bug due to the fact that they built their own custom firmware system from the ground up.
Lyft has also utilized Xiaomi scooters for their expansion into the dockless two-wheeler space (Route Fifty reached out to Lyft for comment, but has not heard from them prior to publishing). Lyft customizing Xiaomi scooters became a point of contention for Xiaomi late last year, leading to a cease-and-desist letter to Lyft on the matter.
“Lyft’s modification to any scooters originally manufactured by Xiaomi without our knowledge, participation, or approval undoubtedly exposes Xiaomi to serious legal risks and liabilities for consumer safety and product liability,” the letter states.
But Zimperium contends that when their researcher reached out to Xiaomi about the security flaw they uncovered, the company didn’t really engage. Zimperium published communications from the Chinese company acknowledging the problem, saying it was a “known issue internally” due to third-party products.
Zimperium provided Route Fifty with a transcript of its efforts to disclose the information to Xiaomi. The cybersecurity firm offered to let them review the results so they could patch the flaw prior to the firm making the results public on the web (and, yes, it is a “how to” guide).
According to Zimperium, Xiaomi never responded.
Zimperium reported “the scooter’s security still needs to be updated by Xiaomi (or any 3rd parties they work with) and cannot be fixed easily by the user.”
In a statement provided after publication, Xiaomi said the company is "aware of the vulnerability which hackers with malicious intent might exploit to interrupt the operations of Mi Electric Scooter." The company is working on a fix, the statement said, and will provide an over-the-air update "as soon as possible."
While there are no reports of commercial dockless scooter vendor having deployed Xiaomi with the security flaw, the Xiaomi Mi M365 Electric Scooter is available via online retailers to the public. Individuals using those scooters on city streets are most likely unaware of the potential vulnerability to their vehicle.
Meanwhile, despite their ubiquity, states and localities are still scrambling to create laws around e-scooters.
Editor's note: This story was updated after publication to include a comment from Xiaomi.
Mitch Herckis is Senior Editor and Director of Strategic Initiatives for Route Fifty.