GET THE FREE NATIONAL CYBER SECURITY APP FOR YOUR PHONE AND TABLET
RICHO HEALEY WAS riding his electric skateboard toward an intersection in Melbourne, Australia, last year when suddenly the board cold-stopped beneath him and tossed him to the street. He couldn’t control the board and couldn’t figure out what was wrong. There was no obvious mechanical defect, so being a computer security engineer, his mind naturally flew to other scenarios: could he have been hacked?
It didn’t take long to determine that Bluetooth noise in the neighborhood was the likely culprit. The intersection, near Federation Square, was notorious for being saturated with radio frequency noise. Healey was controlling his board with a handheld remote that sent drive commands to the board via Bluetooth. It was clear he hadn’t been hacked; instead, he concluded, a flood of Bluetooth traffic from devices around him had interfered with his remote’s connection to the board.
The incident served as inspiration. “I got to thinking, what is it about this environment and can I replicate it?” he told WIRED.
Healey, who works on security for payments companyStripe, teamed up with fellow researcher Mike Ryan, who works on security for E-Bay, to examine his and other electric skateboards to see if they could be hacked. The result is an exploit they developed called FacePlant that can give them complete control of someone’s digital board.
“[The attack] is basically a synthetic version of the same RF noise [at that intersection in Melbourne],” he says, and allows them to cold stop a board or send it flying in reverse, tossing the rider in either case.
They plan to present their findings Saturday at the Def Con hacker conference in Las Vegas.
“It’s easy to point to this and say, oh it’s just a skateboard,” Healey says. “But for people who are buying these boards and commuting on them every day … there is risk obviously associated with that…. We explicitly did this research in order to make the devices safer.”
They focused their research on Healey’s board, a Boostedboard made by the American company of the same name, which sells for about $1,500; as well as a board made by the Australian firm Revo, which runs between $700 and $1,000; and a board called E-Go made by the China-based firmYuneec, which costs about $700.
They found at least one critical vulnerability in each board, all of which hinge on the fact that the manufacturers of the boards failed to encrypt the communication between the remotes and the boards. The attack for controlling the boards is essentially identical for each skateboard, but the mechanism for conducting it differs somewhat for each, and so far they’ve only completed an exploit for the Boosted board. A second exploit for the E-Go board, which they’ve dubbed Road Rash, is in the works.
How the FacePlant Hack Works
The Boosted board works with an app, which controls two 1,000-watt electric motors, a small, handheld remote, which the rider uses to adjust speed using Bluetooth Low Energy wireless technology, and a battery that allows the board to operate for about six miles on a single charge. A dead man’s switch, which the rider holds down to stay in motion, cuts the motor if the rider releases the switch.
Because the Bluetooth communication is not encrypted or authenticated, a nearby attacker can easily insert himself between the remote and the app, forcing the board to connect to his laptop. Once he achieves this, he can stop the skateboard abruptly, ejecting the rider, send a malicious exploit that causes the wheels to suddenly alter direction and go in reverse at top speed, or disable the brakes. An attacker can also simply jam the communication between the remote and the board while a driver is on a steep hill, causing the brakes to disengage.
There are obvious dangers if a skateboard rider going 20 miles per hour suddenly stops while the cars behind him don’t. But the harm isn’t only to the skateboard jockey; any bike riders, motorcyclists, cars or pedestrians behind the board are at risk of being struck. In the FacePlant attack the researchers designed, once their exploit slams the skateboard’s motors into reverse, the board takes off at full speed, hitting whatever may be in its path. And because the board is motorized and the dead man’s switch mechanism is disabled, the board won’t necessarily stop once it hits an object but will instead bounce off obstacles until it runs out of range of the attacker’s signal, or the hacker instructs it to stop.
Once an attacker slams the motors into reverse, the board takes off at full speed, hitting whatever may be in its path.
“This thing can cause some serious damage,” says Ryan. In a demo they conducted in an alley near WIRED’s office, the board flew out from under Healey, ricocheted off a wall and kept going, thwarting attempts to stop it.
A rider who is paying attention would notice the board slowing slightly as it goes into neutral—the wheels spinning in place briefly—before the reverse command kicks in and pitches the driver forward while the board takes off in the opposite direction. But most riders will be caught off guard. “Usually you don’t face plant, because the board slows down enough. But if you’re not expecting it, and you’re going fast enough, it could go pretty bad,” says Ryan.
You’d be on the ground before you knew it.
Timing Is the Key
The FCC mandates that in order to have a Bluetooth device certified it has to be able to withstand the presence of interference. But none of the three boards they tested were resilient against the interference of the researchers.
It takes two to ten seconds of jamming for an attacker’s Bluetooth connection to land on the board, then the exploit has a window of just 10 milliseconds to kick in before the rider’s remote control will automatically attempt to re-connect to the board. Their exploit hinges on recovering enough information about the Bluetooth connection during that short window to seize control from the remote, but they can automate the exploit with a script to make it work fast.
“The trick is, Bluetooth sniffing is not entirely an evolved science, but with no encryption and no signing, once we own the connection, it’s over right there,” says Healey.
The remote becomes essentially a useless brick that can’t re-engage with the board until the attacker disconnects.
The researchers found they could also change the top-speed the boards can travel. Electric skateboards each have a top-speed encoded in the firmware to prevent them from going too fast, which varies from board to board. The top speed coded into the Boosted firmware is 22 miles per hour, for example, but the E-Go board can only go 12.5 miles per hour top speed.
Because the Boosted app is capable of updating the firmware, in impersonating the app so can an attacker. The Boosted board doesn’t require that updates to its firmware be signed, so the researchers found they could install a remote update that eliminates or alters the speed limits—giving it the ability to go faster or preventing it from exceeding a low speed. An update takes more than two minutes to install and would require the board to restart to take effect. But because a hacker controls the board at that point, he can shut down the board and restart it to install the update.
“Once you have the ability to write arbitrary firmware, you can change the top speed, change the minimum speed, make the board refuse to stop and ignore the existence of the [remote] controller,” says Ryan. And after overwriting the firmware, the skateboard owner would have to refresh the firmware to regain control of the board.
They’ve been able to take full control of a Boosted board but so far they’ve only been able to jam the E-Go board and haven’t yet been able to seize control of it. But with jamming alone they could prevent the brakes on a board flying downhill from engaging. And the remote becomes essentially a useless brick that can’t re-engage with the board until the attacker disconnects. “It’s actually quite a persistent takeover of the board,” says Ryan.
One possible obstacle thwarting the success of a skateboard attack? Bluetooth noise. The jammer is unable to distinguish Bluetooth packets that belong to the skateboard from those of other Bluetooth devices in the vicinity. This caused some problems during a demonstration they conducted outside WIRED’s office building in a tech-heavy neighborhood where the drone manufacturer Skycatch also resides. As a result, the researchers failed a number of times to seize control of the board until the demo was moved a block away to a nearby alley.
To seize control, they used three transmitters that cost about $100 each. If they wanted to increase the likelihood of hitting the board on first try, they could increase their power by using say $1,000 worth of equipment to jam the signal. But this sledgehammer approach would likely jam every Bluetooth device in the neighborhood, not just a skateboard.
The distance for hijacking a board or updating its firmware can vary. In some of the lab tests they did they were able to seize control of a board from up to 30 meters away. It’s unclear if that would hold up in a city street. They suspect they might be able to hijack a board from up to 10 meters away, but in demos they conducted for WIRED they got inconsistent results.
“But there are so many variables that I’m a little bit loathe to commit to a number,” says Healey. “If you wanted to use this as a fully reliable payload you’d be looking to use this at a traffic light where someone is slowing down on the way past.”
We haven’t seen any safety in the electric vehicle market and there’s a pretty serious lack of manufacturers taking security seriously.RICHO HEALEY
He says their intent in doing the research wasn’t just to find a way to throw riders off their boards.
“The point of the research is to remind vendors that they actually do have a burden to users to make safe products,” Healey says. “They should make it easy to report bugs and they should be proactive to fix them. We haven’t seen any safety in the electric vehicle market and there’s a pretty serious lack of manufacturers taking security seriously.”
They reported the vulnerabilities to Boosted last September, but so far the company hasn’t implemented a fix. Boosted told the researchers that it plans to have a mitigation technique against the attack in place before their Def Con talk on Saturday. They haven’t yet reached out to the other manufacturers because they’re still examining those boards for vulnerabilities.
But the issue may not just be electric skateboards. They know of at least one electric bike on the market that also uses Bluetooth, though they haven’t examined it yet. “Worst case scenario you can always step off a skateboard. But if you’re tangled up on a bike that’s going as fast is it can, it’s going to be more dangerous,” Healey notes. In addition to hacking the bike, he says it might prove to be an interesting vector for attacking the bike rider’s phone, and use the bike as a pivot through which to hack the phone._______________________________________