New IOActive research exposes critical security vulnerabilities found in the Segway miniPRO electric scooter.
If exploited, an attacker could bypass safety systems and remotely take control of the device, including changing settings, pace, direction, or even disabling the motor and bringing it to an abrupt and unexpected stop while a rider is in motion.
Identifying the flaws
During the past eight months, Thomas Kilbride, Embedded Devices Security Consultant at IOActive tested mobile applications, firmware images, and other software in order to identify the flaws. He found that once a vulnerability had been exploited, he could essentially gain full control of the scooter. He was able to perform a firmware update of the scooter’s control system without authentication and modify the controller firmware to remove rider detection.
Additionally, he determined that an attacker could make a hoverboard stop suddenly, creating the risk for serious injury.
“FTC regulations do require scooters to meet certain mechanical and electrical specifications to help avoid battery fires and various mechanical failures,” said Kilbride. “However, there are currently no regulations centered on firmware integrity and validation, despite being integral to the safety of the system. As my research indicates, this lack of regulation could lead to a number of dangerous situations.”
Interception of the rider application setting the scooter PIN to 111111
“Using reverse engineering and protocol analysis, I was able to discover a number of worrisome security threats,” continued Kilbride. “For example, I determined that riders in the area were indexed using their smart phone’s GPS. Therefore, each rider’s location was publicly available, so the hoverboards could be found, tracked, hijacked, and controlled without the rider’s knowledge.”
IOActive recommends manufacturers take the following steps to mitigate the various risks presented by the vulnerabilities identified:
- Implement firmware integrity checking
- Use Bluetooth Pre-Shared Key authentication or PIN authentication
- Use strong encryption for wireless communications between the application and scooter
- Implement a “pairing mode” as the sole mode in which the scooter pairs over Bluetooth
- Protect rider privacy by not exposing rider location within the Ninebot mobile application.
IOActive disclosed the vulnerabilities to Segway/Ninebot, and the company subsequently released a new version to address some of the issues identified and informed IOActive of the fixes.
Here’s a video overview of the research:
The research will be included in a presentation Kilbride will give at IOActive’s IOAsis event next week during Black Hat USA 2017 in Las Vegas. His session takes place on Wednesday, July 26 from 1:50 p.m. – 2:40 p.m. PT in Palm B Room in Mandalay Bay.