Prophaze WAF Blog

Xiaomi M365 electric scooter hacked - Cloud WAF

Written by Rajaneesh | Feb 18, 2019 10:03:12 AM

It has been found out that one could take control of a Xiaomi M365 electric scooter from a distance of around 100 meters from it without the knowledge of its actual user. Researchers at Zimperium on Tuesday released a proof-of-concept (PoC) for the attack. The attack allowed them to launch a denial-of-service attack, install malicious firmware which can take full control over the scooter.Thus either accelerate or suddenly halt the scooter without the consent or knowledge of the rider

Xiaomi has acknowledged the issue and has proclaimed that its still working for a fix.

Xiaomi’s scooter has a great market share and is being used by various brands with few modifications. The scooter mainly depends on Bluetooth for its communication. The owner can utilize the Bluetooth-enabled app for various features such as Anti-Theft system, cruise-control, Eco mode and also to update the scooters firmware.These features can also have serious impacts when the controls are invaded.

Every scooter has a password for its protection but it has been noticed that all of its features can be used without the need for authentication. A bad actor can also lock the scooter by its anti-theft feature without the user consent or authentication.