18 February 19, 06:20
Quote:Security Flaw Discovered In Xiaomi Electric Scooters
A researcher Rani Idan from Zimperium has discovered a serious vulnerability in Xiaomi electric scooters. As per his findings, the vulnerability could allow an attacker to take control of the machine. A successful remote attack could then result in sudden breaking or acceleration.
Reportedly, he discovered problems with the user authentication process of the scooters. Describing the details of his findings in a blog post, Idan stated,
“During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password.”
Precisely, the scooters keep no track of the authentication state as the password validation takes place at the app side only. As a result, it becomes easy for an attacker to exploit the bug by sending any malicious payload to execute desired commands. The attacker may be present anywhere within proximity of 100 meters from the target device.
Idan has demonstrated the exploit in the following video. It shows successful locking of the Xiaomi M365 scooters by sending crafted payload.
Source