The Xiaomi M365, a popular electric scooter used by several ride-share companies such as BIRD as well as for personal ownership, is vulnerable to remote hacking due to improper password validation.
The scooters are enabled with Bluetooth access which allows the user to interact with the scooters for multiple features including its Anti-Theft System, Cruise-Control, Eco Mode and updating the scooter’s firmware through a dedicated app on the user’s phone.
Zimperium researchers found the scooters were vulnerable to denial of service attacks, as a threat actor could lock a user out of operating the device, the deployment of malware which could take full control of the vehicles, or targeted attacks which could cause the scooter to suddenly break or accelerate.
Although every scooter is protected by a password that can be changed by the owner, researchers found the scooter and all commands could be executed without the password because the password was only validated on the application side and the scooter itself doesn’t keep track of the authentication state, according to a Feb. 12 blog post that said, “we can use all of these features without the need for authentication."
To prevent an attacker from connecting to the M365 scooter remotely, it is possible to use Xiaomi’s application from your mobile before riding and connect to the scooter, once your mobile is connected and kept connected to the scooter an attacker won’t be able to remotely flash malicious firmware or lock your scooter,” the post said.
Fortunately a temporary mitigation solution was released for the scooter by using the Xiaomi mobile app to connect to the scooter before riding. As long as the mobile connection is kept between the mobile app and the scooter, an attacker won't be able to remotely flash malicious malware or lock the scooter.