Security researchers discovered a worrying flaw in popular e-scooters that leaves them open to being remotely controlled by hackers.
Mobile security firm Zimperium has warned that a security vulnerability in Xiaomi’s M365 scooter could let anyone savvy enough lock the device, hit the brakes and even cause the device to suddenly accelerate.
Zimperium said several popular ride-sharing services use M365 scooters, but it’s unclear how many are currently in use in the U.S.
The flaw resides in the scooter’s Bluetooth module, which lets users control the device remotely.
For example, using Bluetooth, customers can lock the scooter on the app handsfree.
Rani Idan, a security researcher at Zimperium, found that a hacker could easily connect to the scooter with Bluetooth and without having to enter a password.
‘The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state,’ Idan said.
‘Therefore, we can use all of these features without the need for authentication.’
Idan and the other researchers then took it a step further and exploited this flaw to install malware on the scooter.
The scooter didn’t recognize that unauthorized software had been installed onto it.