Xiaomi electric scooters vulnerable to remote hijacking

From zdnet.com

Researchers say the vehicle’s authentication protocols leave much to be desired.

Electric scooters have swamped the streets of urban cities worldwide and considered an annoyance for some, may also now be considered a security and safety risk.

On Tuesday, researcher Rani Idan from San Francisco-based exploit seller Zimperium disclosed a vulnerability present in the Xiaomi M365 electric scooter which could potentially permit attackers to remotely control a vehicle, leading to issues including sudden acceleration or braking.

The problem lies in how the scooter authenticates its users, or the lack thereof.

According to Idan, passwords used to authenticate the scooter’s onboard computer systems are not being “properly used” during the authentication process, and as the password is only validated on the application side, the scooter does not monitor authentication states in itself — and so “all commands can be executed without the password.”

Read more…