There’s one rule in the cybercrime world, and that’s if something is hackable, it will be hacked. We’ve seen games consoles, countless programs, computers, defense systems, routers and even cars hacked. Why would an electric scooter be any different?
Anything with a protective electronic lock can be eventually hacked. While software security developers on one side constantly develop better protection, failsafe protections and firewalls, hackers on the other end consistently produce cracks and hacks that penetrate those defenses. But how does all of this apply to electric scooters?
Hacking for the purpose of stealing an electric scooter
Not too long ago, stealing Bird/Lime scooters was all over the internet. Thieves, with help of a $32 kit, swiped countless scooters off the streets, leaving commuters who used scooter sharing baffled. Some companies had to promptly catch on to the hacks, and since have retired easy-to-hack models. For a bit, folks were scamming unlimited free rides on the scooters thanks to a little glitch in the activation process.
Scooters were often hacked through Bluetooth, which has been proven unsafe for quite a while, but it’s also the cheapest and fastest option of connecting your smart devices. Most Bluetooth scooters don’t even have a password, let alone any real measure of security, letting hackers quickly install malware on the scooter.
Other companies, like Lime, made a completely custom scooter, that is incompatible with any other scooter on the market. This keeps it harder to hack, unless someone specifically targets it and hacks it. Hackers, like all criminals, are always looking for the easiest target, and custom scooters are rarely profitable enough. Even if they’re broken into, a firmware, hardware or software update will make a hack obsolete.
Good news for scooter sharing companies is that they write these off as operating expenses; they’re almost used to it happening. A shared scooter reportedly lasts for about two months, but it pays itself off a lot quicker than that, letting these companies operate at a hefty profit.
Malicious hacking and potential danger for the rider
Dockless scooters use a combination of Bluetooth and Internet connections in order to communicate with the user’s mobile phones and their scooter-share company’s central servers. These communication channels offer attack vectors to hackers, with the potential of mobilizing a horde of these vehicles in an urban environment. Couple of years ago, a team of researches from a company called Zimperium demonstrated a PoC locking the scooter using the malicious application that scans for nearby Xiaomi M365 scooters and disables them by using the anti-theft feature of the scooter without authentication and user consent. They’ve also developed a PoC for installing malicious firmware capable of accelerating the scooter, which can be very, very dangerous.
What does it mean for the riders? Should we be concerned for our safety?
Most hacked electric scooter are those from scooter-sharing companies, for the sake of being stolen. As long as you take care of where you leave your personal electric scooter and maybe apply a bike lock or two, you will discourage most criminals and hackers. Most of them want an easy mark and want to earn easy money. Why bother with someone’s scooter that’s secured with locks and updated software, when they can swipe an undefended dockless scooter?
Electric scooter hacks and modifications
With their rapidly rising popularity there are more and more elaborate modifications for electric scooters. Most popular is overriding the devices’ speed-limiting software to reach up to 40mph. This requires jailbreaking your scooter and purposefully modifying the firmware, which is in fact hacking.
Due to legal reasons, most scooters (if not all of them) come with a speed limiter. An electronic speed limiter is a configuration in the software of the electric scooter that limits the maximum speed to a specific threshold decided by the manufacturer. This is not like a mechanical limitation that can be removed easily. It’s embedded in the electric scooter’s controller unit and can’t be removed as easy at it may seem.
Some scooters have the option to turn off the speed limiter from the dashboard, if you would like to test its top speed on the private property. Xiaomi Mi M365, for example, can’t be unlocked directly from the display. It doesn’t even have a display, but a phone application. To remove the limitation you need to rewrite the software that’s on the scooter’s controller.
Is this a good way to increase the top speed of your scooter? Well, unless your scooter has a simple option to remove the speed limit, it’s probably not a good idea to remove it by flashing your controller or other tricks. Some models can be damaged because it drains a lot of power from the battery fast and the engine is hot due to high RPM. If you want to get a fast electric scooter and the local laws allow it, look for one from the beginning. This will save you a lot of trouble.
The endless cyber-war between the security experts and hackers is ongoing, but it’s unlikely that a common person will be caught up in it, and your own personal scooter will probably never be a target for hackers. Be mindful of your safety and update your software, but don’t live in the constant anxiety that you’ll be hacked. Also, bike locks always work, no matter who controls the electric scooter.