How To Hack Someone Off A Segway Scooter In 20 Seconds

Any hoverboard rider should be concerned about their physical wellbeing. Thanks to digital weaknesses in Segway’s hands-free Ninebot miniPRO scooter, they’ve got more reason to worry. The flaws made it possible to take almost complete control of the self-balancing vehicle and, potentially, knock off anyone aboard with some fairly basic hacks, researchers said today.

Attacks could be carried out with just 20 seconds of continuous Bluetooth connection to a Segway hoverboard, said IOActive researcher Thomas Kilbride. “It may be sped up using other means,” he told Forbes. “It’s a little bit alarming.” Not only would it be possible to kill the motor mid-drive, but it’d be simple to steal a miniPRO too, as seen in his demonstration video below.

How the hack went down

In his proof-of-concept hack, he started using the official Ninebot smartphone app that’s used to control certain functions of the vehicle. That let him determine the location of nearby riders. For whatever reason, a now-removed feature in the app saw GPS locations of each scooter user made available to anyone in a given area. As Kilbride wrote in an advisory released today: “Each riders’ location was published and publicly available, which makes weaponization of an exploit much easier for an attacker.”

He then switched to a Bluetooth app called Nordic UART, which connects over bluetooth to compatible devices. The scooter didn’t require a password for access, allowing commands to be sent via the Nordic software. “Though the Ninebot application prompted a user to enter a PIN when launched, it was not checked at a lower level before allowing the user to connect,” IOActive’s advisory noted. That allowed Kilbride to change the PIN to ‘111111.’ This didn’t allow for complete control, but it locked the owner out.

It was then possible to upload malicious firmware, allowing total control over the device. The machine carried out no checks for anyone trying to upload new firmware, nor was their any encryption mechanism to protect the updates, said Kilbride. By spoofing addresses for the download server, it was simple to create what appeared to be a legitimate source, when in fact the firmware it was delivering to the Segway was malicious. This would allow the hacker to turn the hoverboard off while in motion, or just pilfer the thing.

As for why the vulnerabilities were present in the device, Kilbride suggested that when Segway was purchased in 2015 by Chinese firm Ninebot, it would have provided a good time for an audit of their tech. “They’re a renowned company, just purchased by Chinese firm; as part of this they should have done some security auditing and validation. This could have helped them, it lets the seller know the true value of their product,” the researcher said.

Ninebot’s Segway division was made aware of the findings back in January. In April, the company told IOActive it had addressed some of the critical issues found by Kilbride. He told Forbes the company claimed to have implemented encryption, which would fix the firmware problem, though IOActive yet to validate that. As for the Bluetooth issues, Ninebot told IOActive they’re being left open so developers can try out features for the scooter, Kilbride added.

Neither Segway nor Ninebot had responded to requests for comment at the time of publication.

Attacks on novel forms of transport aren’t unheard of. Last year, researchers found they could commandeer electric skateboards with similar exploits.

Source:https://www.forbes.com/sites/thomasbrewster/2017/07/19/segway-hoverboard-hacked-in-20-seconds/#12e4fb1113fe