[#video: https://www.youtube.com/embed/ASygXa8UVYk

The fleets of electric scooters that have inundated cities are alarming enough as is. Now add cybersercurity concerns to the list: Researchers from the mobile security firm Zimperium are warning that Xiaomi’s popular M365 scooter model has a worrying bug. The flaw could allow an attacker to remotely take over any of the scooters to control crucial things like, ahem, acceleration and braking.

Rani Idan, Zimperium’s director of software research, says he found and was able to exploit the flaw within hours of assessing the M365’s security. His analysis found that the scooters contain three software components: battery management, firmware that coordinates between hardware and software, and a Bluetooth module that lets users communicate with their scooter via a smartphone app. The latter leaves the devices woefully exposed.

Idan quickly found that he could connect to the scooter via Bluetooth without being asked to enter a password or otherwise authenticate. From there, he could go a step further and install firmware on the scooter without the system checking that this new software was an official, trusted Xiaomi update. This means that an attacker could easily put malware on a scooter, giving herself full command over it.

“I was able to control any of the scooter features without authentication and install malicious firmware,” Idan says. “An attacker could brake suddenly, or accelerate a person into traffic, or whatever the worst-case scenario you can imagine.”

Unfortunately, issues with Bluetooth implementation, especially weak or missing authentication mechanisms, are nothing new in internet-of-things devices. Similarly, “integrity checks” to confirm the authenticity and trustworthiness of software and firmware updates are often overlooked. But while they can lead to all sorts of real privacy and security risks in general, they are obviously especially problematic in devices that can endangers a user's physical safety.

“I was able to control any of the scooter features without authentication." Rani Idan, Zimperium

Researchers found a similar set of flaws in Segway MiniPro hoverboards in 2017, but the company, which is owned by Chinese scooter-maker Ninebot, worked to fix the problems. Zimperium is concerned about what will happen with Idan’s findings, because when the company contacted Xiaomi to disclose the bugs, the scooter maker said it is aware of the problem and doesn’t have the ability to fix it on its own.

This is apparently because Xiaomi sources its Bluetooth implementation module from a third-party developer rather than coding it in-house. Xiaomi did not respond to multiple requests for comment from WIRED. But the company told Zimperium that “this is a known issue internally. The issue has been made public. Because it is a third-party cooperation product we are also trying to communicate solutions to each other.”

In the meantime, M365 scooters are vulnerable to an array of takeover attacks. The user app that connects to the scooters does offer the option to set a password for accessing individual devices. But when Idan created proof-of-concept Android and iOS apps to test the weaknesses, he found that the system doesn't require outside Bluetooth connections to authenticate even once a password has been set up in the official app.

Zimperium is taking the perhaps controversial step of publishing the Android version of this proof of concept in an attempt to prove the problem's urgency and warn as many people as possible. Zimperium chief technology officer John Michelsen argues that it is the only recourse security researchers have to motivate accountability in unresponsive IoT companies and electronics manufacturers in general.

Xiaomi M365 scooters are a popular consumer choice and have even been used by ride-sharing companies like Lyft and the scooter-specific service Bird. A customized version of the M365 was Bird's first scooter model, but the company has begun phasing it out unrelated to this research.

“IoT devices are everywhere—in our personal space, holding our most sensitive data, and in our daily routines,” Idan says. “You would probably think those devices would implement the best security protections possible, but unfortunately that is not always the case.”

Given the potential risk to users, it's crucial for Xiaomi to respond to the research and find a way to issue stronger Bluetooth protections. In the meantime, keep applying official updates and, as always, wear a helmet.

More Great WIRED Stories