X

Hackers can hijack your connected hoverboard

It's not as serious as taking over a connected car, but a hacked hoverboard can lead to amusing but painful hijinks.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
segway-minipro-ninebot-01.jpg

The Segway MiniPro is a high-end hoverboard with a Bluetooth remote. Researchers figured out how to hack it.

Sarah Tew/CNET

In one scene in "The Fate of the Furious," the villain hacker hijacks a horde of connected cars and kicks off a crazy chase as she controls the vehicles via computer.

Imagine how much goofier that would have been with hoverboards.

Hoverboards had a moment in 2015 as the hottest toy on the market (now usurped by fidget spinners). But their craze quickly stalled following multiple reports of shoddy batteries overheating and exploding. Some companies, like Segway, are still trying to make hoverboards cool, but they've also ended up making them hackable, too.

As everyday objects become connected online, they also become vulnerable to cyberattacks. It's why we can't have nice things online. Hackers seem to find vulnerabilities in just about anything, including smart vibrators.

Segway introduced features for its version of a hoverboard called the MiniPro that let you connect the self-balancing scooter to your phone through Bluetooth and control the machine remotely through an app.

Researchers at cybersecurity company IOActive figured out last year how to hack the Bluetooth connection and hijack the MiniPro. This enabled the researchers to control the hoverboard from up to 200 feet away. They released the partial results of their efforts Wednesday.

It's unlikely that potential attackers could cause the hoverboards to overheat and explode because Segway put in physical safety measures for the batteries, but there are plenty of shenanigans to start with a remotely hijacked set of wheels.

"The attacker is able to cause the hoverboard to just turn off while there's somebody on it, which could trigger a faceplant," said Thomas Kilbride, an IOActive researcher.

He frequently rides the same model himself, and he imagined a scenario in which hackers could troll a victim holding a hot cup of coffee. The attacks happen over Bluetooth, and there's no way to turn off the hoverboard's Bluetooth, Kilbride said.

Segway did not respond to requests for comment.

IOActive researchers reverse-engineered the hoverboard app's code and found that they could manually send commands to the app through Bluetooth updates without the need for authentication. Through that, they could change the PIN lock for the app, which gave them full access to remote control on the hoverboard.

This means they could slow down, speed up or abruptly stop the hoverboard while someone rides it. Attackers would also be able to track down hoverboard owners through the Segway app. The app records a hoverboard's locations through the phone's GPS, putting every rider's location on a public map.

IOActive will release its full research at the Black Hat cybersecurity conference, set for July 26 and 27 in Las Vegas.

The security firm informed Segway about the issue in December. It's been fixed since April. So the parade of hijacked hoverboards will have to wait. 

Intolerance on the Internet: Online abuse is as old as the internet and it's only getting worse. It exacts a very real toll.

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter