Putting the brakes on e-scooter security flaws with Which?

e-scooters have recently made headlines in the UK, amid ongoing discussions around their legality. Currently, they can only be used on private land or on public roads as part of government-backed trials. However, they remain available from popular retailers, and have been linked to technical faults and several accidents.

Amid this controversy, a recent investigation from independent UK consumer body, Which?, showed that many e-scooter brands also present a number of security and safety risks. Working closely with Which?, we assessed e-scooters from nine brands - Segway, Pure, Xiaomi, Kugoo, Vici, iScooter, Aovo, YouFs and iWheels. We found multiple security flaws that could enable hackers to access users’ data, increase e-scooters’ speed and activate their brakes remotely.

Exceeding the legal speed limit

e-scooters that are legal for use in selected UK cities as part of government trials are capped at a maximum speed of 15.5mph. However, we could increase the speed to 18mph on three of the brands, with the potential to push the speeds even higher. Illegal use of e-scooters has already caused death and injury, so this presents considerable risks to users and pedestrians alike.

Activating locks while in motion

Some scooters had a vulnerable brake design, meaning that skilled attackers might be able to activate the brakes remotely while a victim is travelling at speed. This ‘lock’ function could be accessed through the scooters’ smartphone app in a similar way to pressing the lock button on a car key, raising additional concerns about the security of e-scooters.

Outdated app security

Outdated software in apps can expose users’ data and privacy and enable malicious actors to manipulate the apps in different ways. In five of the apps that we investigated, we found that the code in the apps was outdated, meaning hackers could infiltrate them and run their own code to affect their functionality.

Lack of encryption

None of the apps that we looked at encrypted users’ data securely enough, enabling us to access information such as login details and journeys that users had taken as the data was being transferred from the apps to the servers where it is stored. Some of the scooters didn’t encrypt Bluetooth either, which could open the door for hackers to access the scooters’ software and adapt the scooters’ functionality by executing their own commands.

Exposed SWD port

One of the scooters had an exposed Serial Wire Debug (SWD) port, which is used to check for issues and bugs during the testing and development phase. However, hackers could connect to the scooter via the device and use it to bypass security measures, presenting additional risks such as theft.

Sideloading

One of the brands didn’t have an official app available to download from an official app store, forcing users to download it from a website and ‘sideload’ it onto their phones, which can expose them to malware and viruses.

Advice to manufacturers

• Improve firmware verification so that only approved firmware can be installed on the scooters, and restrict the access of third-party apps to the firmware.
• Remove the ability for hackers to remotely apply locks while e-scooters are in motion.
• Keep apps updated and release security patches / upgrades for them regularly.
• Encrypt data properly, and mandate unique Bluetooth passwords to prevent attempts to run malicious code.
• Remove access to SWD ports before the final product is launched.
• Ensure that your app is accessed through official app stores.

Commenting on the research, Matt Lewis, Commercial Research Director at NCC Group, said:

“e-scooters are a great example of cyber-physical systems. This research shows the interplay between safety and security around them, and that traditional security vulnerabilities can be exploited to cause physical harm or even loss of life.

It also raises the question around whether regulators should introduce stricter security and safety controls and practices, or whether e-scooters could fall under the Product Security and Telecommunications Infrastructure (PSTI) Bill or similar. Either way, it’s clear that there is much to be done from a cyber security and legislative perspective before e-scooters can be considered a safe and secure mode of transport.”