The Xiaomi M365, a popular electric scooter that had been used by Bird, has a flaw where hackers can take control of its accelerator and brake, potentially causing injury to the rider.
Researchers at Zimperium zLabs have demonstrated in a YouTube video, embedded below, how a smartphone can be used to connect to the scooter's Bluetooth module without the need for a username, password or any kind of authentication.
- Uber launches Jump electric scooter hire business
- Bird and Lime's Achilles heel? The winter cold
- How San Francisco became overrun by e-scooters
Once connected, the researchers were able to remotely control the scooter's functions — such as its accelerator and brake. This could potentially be used to suddenly speed up or stop the scooter while it is being ridden, causing the rider to fall off.
The video shows how a hacker sat close to one of these scooters — on a bench while a nearby rider waits to cross a road, for example — can connect via Bluetooth and take control of it.
The M365 has been used by popular scooter hire services, like Bird. However, Bird has now phased out its use of the M365 for reasons unrelated to this security flaw.
In a blog post published this week, Zimperium says how the Xiaomi M365 scooter "has a significant market share and is being used by different brands with some modifications."
The scooter's Bluetooth connection is available so riders can use an app to connect and use their phone as a speedometer, or for switching the scooter into eco mode and activating the cruise control.
The connection is also used to update the scooter's firmware, but connecting a phone is not required to use the scooter. If a phone isn't connected, then a hacker can remotely pounce on the scooter's Bluetooth module and take control.
Zimperium said: "During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password...therefore, we can use all of these features without the need for authentication."
The research firm claims the hack works at distances of up to 100 meters (328 feet), and that rider consent is not required.
Zimperium said how, with this attack, it could lock any M365 scooter, install malware, or cause any targeted scooter to suddenly brake or accelerate.
Alarmingly, when contacted by the researchers Xiaomi said it was aware of the flaw but was unable to immediately fix it. This, the company says, is because the Bluetooth module was produced by a third party. "We are trying to communicate solutions to each other," Xiaomi said.