Xiaomi M365 Electric Scooter Vulnerable to Remote Hacking
- Attackers can send commands to the Xiaomi M365 e-scooter and risk the lives of its riders.
- The commands can be as simple as accelerating or send a full-fledged malware tool to it.
- Xiaomi has not fixed the security issue yet, two weeks after they have been notified by the researchers who made the discovery.
Xiaomi’s e-scooters are some of the most popular of the kind, as they feature amazing build quality and performance for the price range. Their latest model, M365 has received tremendous reviews from urban scooter experts, so it is set to continue the company’s conquering presence on the particular market. The problem with the particular model is that it comes with more smart features than previous models did, and unfortunately, this introduces a set of vulnerabilities that allow remote attacks to send commands to the scooter, possibly even endangering the very life of the rider.
More specifically, and according to Zimperium researcher Rani Idan who discovered the security issue and presented Xiaomi with a proof-of-concept, a hole in the e-scooter’s authentication system allows an attacker to connect to it directly, bypassing the app. The app does feature an authentication layer, but the attacker doesn’t need to use it at all in order to send commands to the scooter. The team has activated the scooter’s anti-theft mode, so it essentially disabled the scooter of the victim through Bluetooth communication (up to 100 meters). The following demonstration video shows how this scenario would look in real life.
Besides locking the M365 scooter, an attacker could deploy full-control malware through a fake firmware upgrade package, or send a command to brake or accelerate out of a sudden. Obviously, this could result in serious injuries and life-threatening scenarios for the scooters’ owners, as getting suddenly stuck in the middle of the traffic or accelerating while the traffic light is still red are simple yet effective ways to get someone killed. This is why the actual proof of concept code has not been released to the public, as Xiaomi is currently working on the update that will plug the security vulnerabilities.
Xiaomi responded by acknowledging the issue on January 28, explaining that because the product is the result of third-party cooperation, they will need more time than usual to plug the vulnerability. Since the update that will fix the problem is not yet out, the matter has been disclosed. If you are an M365 e-scooter owner, you may want to park it on your garage for a while. That is until the firmware update arrives and you’re safe to hit the road again.
Are you a Xiaomi scooter owner? Have you ever had unexpected/weird behavior from it? Let us know of your experience with it in the comments below, and don’t hesitate to do the same on our socials, on Facebook and Twitter.