e-scooters vulnerable to remote hacks

Amer Owaida, security writer at ESET discusses the risks and vulnerabilities posed by electric scooters and their related software services and applications that riders might face. Amer also shares suggestive measures to tackle those risks.

Electric scooters are steadily becoming a popular alternative for short commutes. Besides convenience, however, they also introduce a range of cybersecurity and privacy risks, according to a study by the University of Texas at San Antonio (UTSA).

The review – which UTSA said is “the first review of the security and privacy risks posed by e-scooters and their related software services and applications” – outlines various attacks scenarios that riders might face and suggests measures to tackle the risks.

Many e-scooters rely on a combination of Bluetooth Low Energy (BLE) and the rider’s smartphone internet connection to run, as well as to send data to the service provider. This opens up a number of avenues for potential attacks. For example, bad actors could eavesdrop on the data being broadcast, which could, in turn, lead to Man-in-the-Middle (MitM) and replay attacks. As a result, in some cases hackers could remotely inject commands to take control of the scooter and harm the rider or pedestrians. In fact, this very risk was already discovered in one of Xiaomi’s scooters last year.

A scooter’s battery, engine, brakes, headlights and controller chip are among the key components that can be targeted during a physical attack. Attackers can then swap out key components or install “malicious modules”, allowing them to control the scooter remotely or gather private information on the sly. By remotely manipulating the brakes and acceleration, the bad actor can injure the rider and/or other people.

Micromobility apps usually track the e-scooters’ whereabouts, which means that location spoofing is another thing to worry about. Bad actors can, for example, lure a rider to a secluded area and then to harm them.

E-scooter providers require a wide range of information from the riders who sign up for their service. Usually, these include some form of identification, along with billing, contact and demographic information. The providers automatically collect additional data, including GPS and smartphone-specific information. Attackers with access to such data can create comprehensive images of riders’ habits, places they frequent, and routes they are likely to use.

Most of the risks can be mitigated by implementing cybersecurity best practices. Employees recharging the scooters could check their mechanical or electrical components to make sure nobody had tampered with the scooters. As for the looming privacy risks, one of the best steps would be to implement a privacy-by-design approach for the applications, making the parts that handle data inaccessible to unauthorized personnel. In addition, data traffic monitoring would help the service provider to react to threats in real-time.