Xiaomi Electric Scooters Vulnerable to Life-Threatening Remote Hacks

By | febbraio 12, 2019

Xiaomi Electric Scooters Vulnerable to Life-Threatening Remote Hacks

Link articolo originale

Archivio di tutti i clip:
clips.quintarelli.it
(Notebook di Evernote).

Xiaomi Electric Scooters Vulnerable to Life-Threatening Remote Hacks

Swati Khandelwal

Smart devices definitely make our lives easier, faster, and more efficient, but unfortunately, an insecure smart device can also ruin your day, or sometime could even turn into the worst nightmare of your life.If you are an electric scooter rider, you should be concerned about yourself.In a report shared with The Hacker News in advance, researchers from mobile security firm Zimperium said to have discovered an easy-to-execute but serious vulnerability in M365 Folding Electric Scooter by Xiaomi that could potentially putting riders life at risk.Xiaomi e-Scooter has a significant market share and is also being used by different brands with some modifications.Xiaomi M365 Electric Scooter comes with a mobile app that utilizes password-protected Bluetooth communication, allowing its riders to securely interact with their scooters remotely for multiple features like changing password, enabling the anti-theft system, cruise-control, eco mode, updating the scooter’s firmware, and viewing other real-time riding statistics.However, researchers find that due to improper validation of password at the scooter’s end, a remote attacker, up to 100 meters away, could send unauthenticated commands over Bluetooth to a targeted vehicle without requiring the user-defined password.
“During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password,” Rani Idan, researcher with Zimperium zLabs, explains in a report shared with The Hacker News.”The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state.”

By exploiting this issue, an attacker can perform the following attack scenarios:
Locking Scooters—A sort of a denial-of-service attack, wherein an attacker can suddenly lock any M365 scooter in the middle of the traffic.
Deploying Malware—Since the app allows riders to upgrade scooter’s firmware remotely, an attacker can also push malicious firmware to take full control over the scooter.
Targeted Attack [Brake/Accelerate]—Remote attackers can even target an individual rider and cause the scooter to suddenly brake or accelerate.

To demonstrate one of the attack scenarios, as shown in the video, researchers developed a specialized proof-of-concept (PoC) app that scans for nearby Xiaomi M365 scooters and locks them by using the anti-theft feature of the scooter, without authentication or victim’s knowledge.”The app sends a crafted payload using the correct byte sequence to issue a command that will lock any nearby scooter in the distance of up to 100 meters away,” the researchers say.The researchers also developed a PoC app for installing malicious firmware capable of accelerating the scooter, but due to the safety concerns of the M365 Electric scooter riders, they will not publish its PoC.Zimperium already reported their findings to Xiaomi two weeks ago. The Chinese company acknowledged them, saying that its team was aware of the issue and is working on a fix to address it.Since there is no mitigation that users can deploy at their end, M365 Electric scooter riders are recommended to implement the patches as soon as they become available. Until then, they can not do anything except avoid riding their scooters for a while.
Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

The post Xiaomi Electric Scooters Vulnerable to Life-Threatening Remote Hacks appeared first on Quinta’s weblog.

Source: Stefano quintarelli- Blog

7 thoughts on “Xiaomi Electric Scooters Vulnerable to Life-Threatening Remote Hacks

  1. off white jordan 1

    I not to mention my pals have been reading the best points located on your web site then immediately got a horrible feeling I never expressed respect to the blog owner for those techniques. The young boys were consequently stimulated to read all of them and have now very much been taking pleasure in them. Appreciation for getting so kind and also for making a choice on such useful areas millions of individuals are really wanting to understand about. Our sincere regret for not saying thanks to earlier.

    Reply
  2. kevin durant shoes

    I have to express appreciation to you for rescuing me from such a instance. Just after looking throughout the world wide web and finding principles that were not helpful, I was thinking my life was well over. Living devoid of the answers to the difficulties you’ve solved as a result of your main short article is a serious case, as well as those that might have adversely affected my entire career if I had not discovered your web page. Your actual natural talent and kindness in touching every part was invaluable. I’m not sure what I would’ve done if I hadn’t discovered such a subject like this. I am able to now relish my future. Thanks for your time very much for the expert and result oriented guide. I will not think twice to propose your web site to any individual who would like tips about this subject matter.

    Reply
  3. yeezy boost 350 v2

    I simply wanted to make a quick remark so as to thank you for some of the lovely ways you are showing on this site. My long internet look up has at the end been rewarded with awesome points to share with my family members. I ‘d tell you that many of us site visitors are rather endowed to live in a fabulous website with many perfect individuals with useful advice. I feel really privileged to have discovered your web site and look forward to plenty of more exciting moments reading here. Thanks once again for everything.

    Reply
  4. golden goose

    Thanks a lot for giving everyone such a special possiblity to check tips from this site. It’s usually so sweet and as well , jam-packed with a lot of fun for me and my office fellow workers to visit your blog the equivalent of three times per week to read the latest items you have got. Of course, I’m so actually contented with your perfect knowledge you serve. Certain 4 facts on this page are in reality the best we’ve had.

    Reply
  5. balenciaga shoes

    I truly wanted to construct a simple note to be able to say thanks to you for some of the magnificent guidelines you are posting on this site. My time consuming internet research has at the end been paid with professional content to exchange with my visitors. I would claim that we website visitors actually are unquestionably fortunate to exist in a perfect community with many awesome professionals with beneficial hints. I feel very grateful to have encountered your webpage and look forward to many more fabulous minutes reading here. Thanks once again for everything.

    Reply
  6. off white

    Thank you for every one of your hard work on this web page. My mum enjoys participating in investigation and it is easy to understand why. A number of us notice all concerning the dynamic medium you convey simple thoughts via the blog and as well as increase participation from some other people on this subject so our favorite child is undoubtedly understanding a great deal. Take pleasure in the rest of the new year. You are always doing a first class job.

    Reply
  7. goyard

    I’m also commenting to let you know what a beneficial experience my friend’s girl found checking your web site. She even learned a good number of pieces, with the inclusion of what it is like to possess an awesome giving character to make folks quite simply comprehend chosen grueling subject areas. You truly exceeded my expected results. Many thanks for displaying those warm and helpful, dependable, edifying and also fun thoughts on that topic to Ethel.

    Reply

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *