Electric scooters could be vulnerable to remote hacks
Turns out, a helmet may not be enough to keep you protected when riding an e-scooter
E-scooters are becoming commonplace and it's an ideal alternative to taking a vehicle to commute to a short distance, however like anything electronic, e-scooters are susceptible to vulnerabilities from a cybersecurity perspective, which ESET, the security company found.
That's according to a study at University of Texas at San Antonio (UTSA). The review – which UTSA said is “the first review of the security and privacy risks posed by e-scooters and their related software services and applications” – outlines various attacks scenarios that riders might face and suggests measures to tackle the risks.
As Amer Owaida, Security Writer at ESET explains, "Many e-scooters rely on a combination of Bluetooth Low Energy (BLE) and the rider’s smartphone internet connection to run, as well as to send data to the service provider. This opens up a number of avenues for potential attacks. For example, bad actors could eavesdrop on the data being broadcast, which could, in turn, lead to Man-in-the-Middle (MitM) and replay attacks. As a result, in some cases hackers could remotely inject commands to take control of the scooter and harm the rider or pedestrians. In fact, this very risk was already discovered in one of Xiaomi’s scooters last year."
Hackers can potentially target a scooter's components like the engine, brakes, headlights and controller chip and a user can quickly find themselves unable to control their scooter because of a remote attack, they can be injured this way physically or they could have their privacy put at risk by luring unsuspecting riders to a secluded area and then to harm them.
The solution, Amer recommends, "Most of the risks can be mitigated by implementing cybersecurity best practices. Employees recharging the scooters could check their mechanical or electrical components to make sure nobody had tampered with the scooters. As for the looming privacy risks, one of the best steps would be to implement a privacy-by-design approach for the applications, making the parts that handle data inaccessible to unauthorized personnel. In addition, data traffic monitoring would help the service provider to react to threats in real-time."