A security bug in Xiaomi scooters allows a third party to control it remotely
It is the most popular. And surely most of the electric scooters you see on the street are the model Xiaomi M365 scooter. Now, it has emerged that it presents a vulnerability that allows a potential attacker to remotely control the vehicle’s controls.
One of the components of the M365 scooter, the bluetooth connectivity module that allows the vehicle to communicate with the «smartphone», has a vulnerability that exposes you to third parties, as the cybersecurity firm Zimperium has discovered.
The vulnerability means that the link between the scooter and the “smartphone” via bluetooth does not require a password or any other type of credential. Also, the scooter can compromise with the installation of malicious “firmware” without its systems detecting that it is not an official program.
The key to this security error is that the scooter can be connected to the “smartphone” through different applications, not only from the official one, the Xiaomi Mi Home. You can also connect with other “apps” such as M365 HUD that even allows you to lock the scooter from your mobile.
This “hack”, which does not require any type of password or verification, happens when the scooter is not linked to the official “app”, which does require a password. A) Yes, a third party can access the scooter and install “malware” on it for remote control. In other words, an attacker with malicious intent could speed up or slow down the scooter without the user being able to prevent it, in addition to accessing their personal information.
«Xiaomi is aware of the vulnerability», The company has acknowledged in a statement. “As soon as we found out (were reported by Zimperium) about this vulnerability, we have been working on fixing it and removing all unauthorized applications.” The company is working on a new update which will launch “as soon as possible.”
Until that moment, the best thing users can do is connect the Xiaomi M365 scooter to the Mi Home “app”. As some users who have been “hacked” claim, the skate does not stop suddenly, but gradually loses speed. The best thing, then, is to enter the “app” and unlock it.
It should also be remembered that the only solution at the moment is to keep it connected to Mi Home all the time, since it can only be linked to a single device at a time.