Preface: I am not advising anyone to do anything illegal. Hack your own hardware.
Personal Adult electric Scooters are now everywhere and fun. Individuals use them for their daily business trips, displaced people get new distances, and companies like Bird, Lime and Spin fill the streets with on-demand rental opportunities.
With new technologies come new vulnerabilities, and with new vulnerabilities come new attacks. Adult Electric Scooters are no exception. Hackers and tinkerers have reached new heights in hacking scooters, 3D printing parts, and creating custom firmware. Recently, hackers have tried to “unleash” the on-demand scooters that fill the streets. Some have many needs, be they ethical, financial or basic.
The Xiaomi Mi M365 electric scooter offers a long-range battery of 8.6 miles and can reach speeds of up to 15.5 MPH. They can be purchased new for around $400 from the manufacturer or from your favorite online store beginning with the letter A. It is also the original model used by Bird with minor hardware changes. The process of “launching” this scooter is very similar to the upgrade I did on one of my personal scooters – I replaced the original gauge with a newly upgraded PRO model version. While the hack doesn’t require a PRO version card, it does add things like a digital speedometer and faster gears.
Vulnerability 1: Activate Bluetooth connection;
The M365 (and some other models) allow drivers to use official and third-party apps over Bluetooth to monitor things like battery charge and speed. This differs from other modes of transportation, such as OneWheel, which require the driver to come to a complete stop to connect via Bluetooth. While official apps may require Bluetooth pairing to communicate with the scooter, no PIN or authentication is required to connect to third-party apps and firmware utilities. The attacker was able to connect and control different scooters in public places. This leads to…
Security Kit #2: Write Your Own Firmware;
The Electric scooter uses 3 separate systems to perform the magic. BLE takes care of the Bluetooth LE communication, BMS is the battery management system, and DRV is the manufacturer’s firmware that controls the Electric scooter and maintains all its settings.
After connecting via open bluetooth, no additional authentication was required to write custom firmware. Sites like isinwheel.com collections/electric-scooters allow the user to set their own values, e.g. Like removing speed limits and hard limits on rider types, changing cruise control values, replacing higher voltage batteries, and other powerful features. It only takes a few seconds to create the new .bin file after changing the firmware.
Security Mistake #3: No Hardware Security;
The upgrade I did (and part of the “launch process” as I was told) was to replace the entire control panel on the scooter. The board includes a Bluetooth BLE controller and acts as the brain and controller of the scooter. Gears are VERY rare (ahem) and can be purchased at your favorite internet hardware store or in some cases Walmart (I don’t recommend). It only takes a few minutes to replace the driver, and the new firmware can be instantly updated via your Android phone or tablet. After replacing the instrument cluster and writing new firmware, the scooter is practically under the control of the new owner.
While the above 3 vulnerabilities appear harmless on their own, their combination allows an attacker to take control of any scooter. Checking the bluetooth battery, replacing the circuit board and updating your own custom firmware removes all of the controls from your original system from the scooter. As a bonus, it allows consumers to experience new software and hardware features they didn’t have before. I’ve heard rumors that hackers have hijacked scooters and disabled the brakes, forcing consumers to turn scooters off completely without stopping for illegal reasons or in the case of bad explosions. I’ve also seen homeless people and underground contractors ‘freeing’ scooters and making money from them. Police and city auctions have been hot spots for Version 1 scooters looking for a new life for just $25 and a few free minutes.
Scooter companies invest in their products, so there are other security mechanisms in place, such as GPS tracking, SIM cards, and serial number detection. A competitor model connects the high-voltage instrument cluster directly to the battery via an aftermarket cable. Attempting to incorrectly replace the dashboard on these models could injure you and/or explode the dashboard and injure you or the scooter.
Various Electric scooter models and updated firmware have been released since this article was first drafted. Bird seems to be using the newer Segways and others that have an external battery instead of the battery under the main hood. The holes mentioned above have been fixed, although it is not impossible to hack the latest models. Version 1.5.1 of the official M365 firmware encrypts Bluetooth communications and, although a step in the right direction, removes support for third-party apps.
Personal transportation continues to permeate our lives, and safety thinking should permeate it. As the pace increases, I expect the security model of this important technology in our lives to grow as well. Electric scooters, electric skateboards, electric unicycles, floating shoes and even drones are at risk and should be treated with malice. We have to do better. If you knew that I’m constantly checking my phone, would you trust a 50 km/h Electric scooter with your life?