Smart devices definitely make our lives easier, faster, and more efficient, but unfortunately, an insecure smart device can also ruin your day, or sometime could even turn into the worst nightmare of your life.
Xiaomi M365 Electric Scooter comes with a mobile app that utilizes password-protected Bluetooth communication, allowing its riders to securely interact with their scooters remotely for multiple features like changing password, enabling the anti-theft system, cruise-control, eco mode, updating the scooter's firmware, and viewing other real-time riding statistics.
However, researchers find that due to improper validation of password at the scooter’s end, a remote attacker, up to 100 meters away, could send unauthenticated commands over Bluetooth to a targeted vehicle without requiring the user-defined password.
"During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password," Rani Idan, researcher with Zimperium zLabs, explains in a report shared with The Hacker News.
"The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state."
By exploiting this issue, an attacker can perform the following attack scenarios:
Locking Scooters—A sort of a denial-of-service attack, wherein an attacker can suddenly lock any M365 scooter in the middle of the traffic.
Deploying Malware—Since the app allows riders to upgrade scooter’s firmware remotely, an attacker can also push malicious firmware to take full control over the scooter.
Targeted Attack [Brake/Accelerate]—Remote attackers can even target an individual rider and cause the scooter to suddenly brake or accelerate.
To demonstrate one of the attack scenarios, as shown in the video, researchers developed a specialized proof-of-concept (PoC) app that scans for nearby Xiaomi M365 scooters and locks them by using the anti-theft feature of the scooter, without authentication or victim's knowledge.
"The app sends a crafted payload using the correct byte sequence to issue a command that will lock any nearby scooter in the distance of up to 100 meters away," the researchers say.
The researchers also developed a PoC app for installing malicious firmware capable of accelerating the scooter, but due to the safety concerns of the M365 Electric scooter riders, they will not publish its PoC.
Zimperium already reported their findings to Xiaomi two weeks ago. The Chinese company acknowledged them, saying that its team was aware of the issue and is working on a fix to address it.
Since there is no mitigation that users can deploy at their end, M365 Electric scooter riders are recommended to implement the patches as soon as they become available. Until then, they can not do anything except avoid riding their scooters for a while.