The Xiaomi M365, a popular electric scooter used by several ride-share companies such as BIRD as well as for personal ownership, is vulnerable to remote hacking due to improper password validation.
The scooters are enabled with Bluetooth access which allows the user to interact with the scooters for multiple features including its Anti-Theft System, Cruise-Control, Eco Mode and updating the scooter’s firmware through a dedicated app on the user’s phone.
Zimperium researchers found the scooters were vulnerable to denial of service attacks, as a threat actor could lock a user out of operating the device, the deployment of malware which could take full control of the vehicles, or targeted attacks which could cause the scooter to suddenly break or accelerate.
Although every scooter is protected by a password that can be changed by the owner, researchers found the scooter and all commands could be executed without the password because the password was only validated on the application side and the scooter itself doesn’t keep track of the authentication state, according to a Feb. 12 blog post that said, “we can use all of these features without the need for authentication."
To prevent an attacker from connecting to the M365 scooter remotely, it is possible to use Xiaomi’s application from your mobile before riding and connect to the scooter, once your mobile is connected and kept connected to the scooter an attacker won’t be able to remotely flash malicious firmware or lock your scooter,” the post said.
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.