The Zimperium firm, through its blog, unveiled last Tuesday a serious security problem that affected Xiaomi's popular electric scooters. This vulnerability allowed any hacker to remotely and using the Bluetooth wireless connection to access the vehicle, block it, modify its parameters or even maximize its speed without the user intervening or being aware of it. The manufacturer has acknowledged the existence of this security breach and until he solves it, by means of a firmware update, he recommends not using third-party applications.
In a video recorded as proof, Zimperium leaves little room for interpretations: the alleged hacker he is placed at a traffic light and 'attacks' his victim from his mobile phone at a distance of about five meters completely disabling his electric scooter. Those responsible for this simulation warn that, in the same way that they have been able to block the scooter, they could have accelerated it to the maximum just at the moment when the user waited for the traffic light in green and could cause an accident with dramatic consequences.
"It is an incredible error on the part of Xiaomi", explains to the COUNTRY Fernando Suárez, vice-president of the Council of Colleges of Computer Engineering and user himself of one of the affected scooters; "The manufacturer has forgotten to protect the scooter with a password". The worst of the matter is that, until the manufacturer does not distribute the update that amends the problem, all the scooters are likely to be attacked. However, Suarez relativizes the possibility of suffering a hack: "With the scooter you are almost always in motion and Bluetooth has a limited range," he explains, referring to the fact that there are few real possibilities of suffering an attack.
Will the update solve this serious security problem? Of course, but this expert warns that "it will not be easy for all users to update; it is not like updating a mobile ", since it will be necessary to connect to the vehicle after downloading the update and" not all users will do so ". This means that they will continue to circulate in the streets, scooters that could be hacked remotely, especially now that this security problem has come to light.
But perhaps this is not the most surprising part of the news and is that it is suspected that this vulnerability would have been exploited since 2017, when this gap was already used to install firmwares home that increased the power on slopes or top speed. "It was a matter of time before someone decided to take the leap and create a software able to intercept them as they pass, "confirms Alex Barredo, from Mixxio.
What can be done at the moment to prevent our skate is 'attacked'? It is recommended to link the scooter to the mobile phone via Bluetooth as this connection will prevent another mobile from connecting; Another patch could be to change the Bluetooth identification of the scooter and personalize the name to confuse the potential attacker.