A security flaw in a Xiaomi electric scooter used by ridesharing companies can be attacked by hackers to accelerate or brake the machine.

According to security researchers at Zimperium, an attacker only has to be within 100 meters of such a vehicle to carry out the hack. Researchers released a proof-of-concept (PoC) for the attack, which impacts Xiaomi M365 scooters.

The PoC enabled researchers to mount a denial-of-service attack and install malicious firmware that can take control of the scooter's acceleration and braking capacities.

The problem starts with the use of Bluetooth by the scooter. The Bluetooth access allows the user to interact with the scooter for multiple features such as an Anti-Theft System, Cruise-Control, Eco Mode and updating the scooter's firmware. To access those features the user can use a dedicated app, and every scooter is protected by a password that can be changed by the user.

"During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password. The password is only validated on the application side, but the scooter itself doesn't keep track of the authentication state," said the researchers in a blog post.