Xiaomi electric scooter reportedly vulnerable to hijacking hack

Flaw could allow hackers to remotely take control of the vehicle, including acceleration and braking, a researcher says.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

The Xioami M365 has a flaw that could allow a hacker to hijack control of the vehicle, a security researcher says.

Sean Hollister/CNET

A flaw in a popular electric scooter has added to the list of safety concerns surrounding the devices, which have invaded several US cities in the past year.

The Xiaomi M365 is an electric scooter used by some scooter rental companies that contains a flaw that could allow a hacker to take full remote control over the vehicle, including causing the scooter to suddenly accelerate or brake, according to information released Tuesday by security research group Zimperium. The firm blames the scooter's password authentication process, which is done via Bluetooth communications.

"During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password," Zimperium said in a statement. "The password is only validated on the application side, but the scooter itself doesn't keep track of the authentication state."

Researchers said they were able to interact with the device's anti-theft system, cruise control and eco mode, as well as update its firmware, without required authentication.

Zimperium published a proof-of-concept video showing its app scanning for nearby Xiaomi scooters and disabling them through their anti-theft feature. The app will work on any M365 within a radius of about 328 feet (100 meters), Zimperium said.

A Xiaomi spokeswoman said the company it was aware of the flaw and working on a solution.

"As soon as we found out about this vulnerability, we have been working to fix it and taking down all unauthorized applications," Xiaomi spokeswoman Agatha Tang said in a statement. "In the meantime, an OTA (over-the-air) update is being prepared by Xiaomi's product and security teams, and will be available as soon as possible."

The hack adds to the concerns surrounding rentable e-scooters, which have become a controversial topic as they show up in more US cities and regulators hurry to write laws around the new form of transportation. Some people say they love being able to scoot block-to-block around congested cities. Others complain that riders endanger pedestrians by ignoring traffic laws, riding on sidewalks and leaving the scooters wherever they feel like it.

The flaw Zimperium discovered is similar to one discovered afflicting a Segway hoverboard in 2017. IOActive found it could gain full remote access to the hoverboard by manually sending commands to the Segway app through Bluetooth updates without the need for authentication.

Updated 2/14 with Xiaomi comment.

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad services that will change your life.