Update of February 13, 2019:
Shortly after the release of this article, Xiaomi contacted us to make sure that a corrective update was currently under development. Discover the official reaction of the manufacturer below:
" Xiaomi takes the utmost care in the design and manufacture of its products, and takes the feedback of its users and the safety of its community to heart.
That's why, as soon as we were informed of the possibility for malicious hackers, to take remote control of running scooters, we started to work on a solution to fix it and block access to any non application. authorized.
In parallel, Xiaomi's product and security teams prepare an OTA update which will be available as soon as possible.We are fully committed to the constant improvement of our products and services, in particular based on the feedback received, in order to offer products that are always efficient and safer. "
Xiaomi's electric scooters can easily be hacked remotely, report researchers in computer security. By studying the Mi Scooter more closely, they have indeed discovered a serious security breach in the bluetooth connection of the device. Explanations.
"As part of our research on connected objects, we examined the Xiaomi M365 electric scooter (Editor's note: called Xiaomi Mi Scooter in France) and went through a magnifying glass » explain the researchers at Zimperium, Inc. a US-based mobile security firm, in a study relayed by our colleagues at Numerama.
A flaw can hack the Xiaomi Mi Scooter remotely
According to the researchers, a hacker can easily take control of a Xiaomi scooter at a distance of 100 meters without ever needing physical access to the vehicle. The flaw identified by Zimperium is in the bluetooth system, which is used for software updates, anti-theft system or speed control.
Read also: the best electric scooters of 2019
These features are grouped in a dedicated application locked by a password. In theory, the user is therefore able to prohibit access to the settings and control of the machine to a third person. In practice, this security only protects access to the application and not to the scooter. "The password is validated only on the side of the application, but the scooter itself does not keep track of the authentication" regret the experts. To take control of a Mi Scooter, the researchers have created an application that allows to connect in pass through the box identifiers and password. With this trick, they managed to remotely lock the antitheft all scooters present at a maximum distance of 100 meters.
According to Zimperium, hackers could use this loophole in several different ways : by simply blocking the scooter, incorporating incognito a malware able to control the machine over a longer distance and forcing the scooter to accelerate against the will of his driver. They present the risks generated by this type of flaws in the video below. Not surprisingly, Zimperium informed Xiaomi of the existence of a serious flaw.