A researcher with Dallas-based Zimperium discovered a way to manipulate a Xiaomi M365 scooter through a Bluetooth connection. Users can access their scooter via an app that connects to the scooter, as long as users authenticate with a password. However Zimperium researcher Rani Idan determined the password fails to completely protect users.
“During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password,” Idan wrote in a blog post Tuesday. “The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state.”
From there, Idan wrote an app for his mobile device that allowed him to mess with a Xiaomi scooter that was in use.
Idan writes that due to the flaw, a person could lock any M365 scooter, install malicious firmware, then cause it to fully accelerate or come to a screeching halt.
Scooter-sharing companies like Bird and Spin have used the Xiaomi in the past. However, CyberScoop has learned that Bird updated the firmware on their M365 models after discovering the issue more than a year ago.
A Spin spokesperson told CyberScoop it stopped purchasing the Xiaomi model last year, and are phasing out any remaining Xiaomi scooters it had previously deployed. The majority of Spin’s scooters are made by Segway.
Xiaomi told Zimperium researchers that it was aware of the issue, blaming on “third-party products.”
Correction, 2/14/19: The location of Zimperium’s headquarters has been corrected in this article.