Study Identifies Security Vulnerabilities in E-Scooter Systems
/ 3 min read
Quick take - A recent study has identified significant security vulnerabilities in battery-powered embedded systems, particularly in e-scooters like the Xiaomi M365 and ES3 models, revealing critical design flaws and proposing countermeasures to enhance their security.
Fast Facts
- A study revealed significant security vulnerabilities in battery-powered embedded systems (BESs), particularly in e-scooters like the Xiaomi M365 and ES3 models, focusing on the battery management system (BMS).
- Researchers identified four critical design vulnerabilities, including a severe remote code execution issue and unencrypted, unauthenticated communication channels.
- A toolkit named E-Trojans was introduced, demonstrating attacks that can be executed remotely or via Bluetooth, including a ransomware scheme that can reduce battery autonomy by 50% in three hours.
- The vulnerabilities are not limited to Xiaomi e-scooters and could affect other devices with similar architectures, highlighting the need for further research in this area.
- The study proposes four countermeasures to enhance security and privacy, and findings were responsibly disclosed to Xiaomi, which acknowledged the report as informative.
Significant Security Vulnerabilities in Battery-Powered Embedded Systems
A recent study has revealed significant security vulnerabilities in battery-powered embedded systems (BESs), with a particular focus on e-scooters. The research highlights risks associated with devices such as the Xiaomi M365 (2016) and ES3 (2023) models.
Internal Attack Surfaces and Vulnerabilities
Battery-powered embedded systems typically include a battery management system (BMS), a radio interface, and a motor controller. However, the study points out a concerning lack of prior research on the internal attack surfaces of these systems, especially regarding the BMS.
The investigation involved extensive reverse engineering of the internal components of the e-scooters. Researchers also examined their interactions with the Mi Home companion app. This in-depth analysis led to the identification of four critical design vulnerabilities, including a severe remote code execution issue within the BMS.
The vulnerabilities discovered include unsigned and unencrypted BMS firmware, as well as unencrypted and unauthenticated UART/I2C communication channels.
E-Trojans Toolkit and Attack Vectors
To demonstrate the potential risks, the study introduced a toolkit named E-Trojans. This toolkit implements four novel attacks targeting the internal systems of BESs. These attacks can be executed remotely through a malicious application or in close proximity using a Bluetooth Low Energy (BLE) device.
One notable attack involves a ransomware scheme that extorts money from victims by exploiting the BMS to create an undervoltage battery condition. Testing revealed that this ransomware could diminish the battery autonomy of the M365 model by 50% within three hours. Another attack vector enables user tracking by fingerprinting the e-scooter internals, which can lead to the leakage of sensitive user data. The effectiveness of these attacks was empirically validated through experiments conducted on both the M365 and ES3 models.
Implications and Recommendations
The findings indicate that the vulnerabilities are not confined to Xiaomi’s e-scooters; they could potentially impact various other devices with similar architectures. In response to the identified vulnerabilities, the research proposes four practical countermeasures aimed at enhancing the security and privacy of the Xiaomi e-scooter ecosystem.
The study underscores the importance of further exploration into the internal attack surfaces of e-scooters, particularly given the growing market for e-scooters, currently valued at approximately USD 37 billion and projected to grow annually by 10%.
The research was responsibly disclosed to Xiaomi, which acknowledged the findings and categorized the report as informative. For those interested in further exploration, the toolkit and demonstrations of the attack methodologies are available on GitHub. The study was funded by the European Union and received partial support from the French National Research Agency, emphasizing a collaborative effort to address the pressing security concerns surrounding battery-powered embedded systems.
Original Source: Read the Full Article Here
