12 February, 2020
Be Alert Biker Boys, E-Scooters are Eavesdropping
Article: ebike hacking
Electric scooters are more than just a smart ride as they are increasingly posing privacy issues to the riders.
Electric scooters or e-scooters are slowly catching on in the market.
They are considered and very justifiably so the easiest option for travelling short distances.
It is mainly a special y enabled stand-up scooter using a small utility internal combustion engine or, more commonly, an electric motor. Known as a form of micro-mobility, these scooters are generally designed with a large deck in the center on which the rider stands.
But like all other smart devices this one too is not devoid of crisis especially of security.
According to the University of Texas at San Antonio (UTSA) e-scooters are constantly exposing its riders to an array of cyber security and privacy risks.
They have published a review called the "the first review of the security and privacy risks posed by e-scooters and their related software services and applications" which measures different degrees of risks and attacks which a e-scooter rider may have to face and the ways to evade them.
Many e-scooters depend on a combination of Bluetooth Low Energy (BLE) and the rider's smartphone internet connection to run as well as to send data to the service provider. That makes it vulnerable to many probable attacks. For example, bad actors could eavesdrop on the data being broadcast, which could, in turn, lead to Man-in-the-Middle (MitM) and replay attacks. As a result, in some cases hackers could remotely execute commands to posses the scooter and harm the rider or pedestrians.
A scooter's battery, engine, brakes, headlights and controller chip are among the major parts that can be harmed at a physical attack. Attackers can subsequently swap out key components or install "malicious modules", enabling them to manipulate the scooter or steal information about it remotely. On doing this a bad actor may wreck havoc with the rider as well as others.
Micromobility apps usually track the e-scooters' whereabouts, which means that location spoofing is yet another threat to e-scooters. Bad actors can cajole the rider to a specified place with malicious intentions.
The wide range of data which e-scooters provide is a major threat to the safety and security of its riders. Personal information like some form of identification, along with billing, contact and demographic information along with GPS and other forms of smartphone data can be easily used by attackers to make a convenient working study of the rider's everyday habits and abuse it too.
However most of the risks can be avoided by executing cyber security measures. While recharging the scooters the mechanical or electrical components can be examined to ensure non-tampering. A privacy-by-design set up can be executed for the applications, rendering data handling portions inaccessible to unknown users. Data traffic monitoring is also useful to handle practical vulnerabilities.
A case study
Xiaomi M365 is a popular brand of e-scooter where Bluetooth communication is used.
It allows the user to communicate with the scooter for multiple features such as an Anti-Theft System, Cruise-Control, Eco Mode and updating the scooter's firmware. A particular application allows access to these features and every scooter is protected by a password that can be changed by the user.
Research results showed the password was not being used properly in the authentication process with the scooter and all commands can be executed even without the password. The password is only validated on the application side, but the scooter itself doesn't keep track of the authentication state.
Under such circumstances the following steps can be taken to avoid malicious activities leading to accidents.
Denial of Service attack – Lock any M365 scooter.
Deploy Malware – Install a new malicious firmware that can take full control over the scooter.
Targeted Attack – Target an individual rider and cause the scooter to suddenly brake or accelerate.
ISOAH is the anti-hacking auditing institute which is pro at discovering remotest of vulnerabilities in cyber systems.
Read on to know more about securities and otherwise in smart devices: www.isoeh.com/exclusive-blog-details-security-in-smart-cities.html
