A scooter you can also remote control sounds cool, until you find out it can be hacked. Then it's not cool at all — it's terrifying.
Every Friday, I ride an electric Segway/Ninebot miniPRO around the office. It's my favorite rideable (A.K.A. balance board, A.K.A., hoverboard). It's also the only one that includes a remote control that I can use to send it running around the office on its own.
The remote control does not work when I'm standing on the Segway miniPRO, which itself is essentially a tiny version of the original self-balancing mobility device introduced 16 years ago by inventor Dean Kamen. Aside from the size, the other major difference is from the original Segway is that instead of using handles to steer the scooter, the miniPRO employs a knee-height stem for direction control.
But researchers at IOActive figured out how to hack into the Segway miniPRO and trigger remote-control features while someone is riding the board, making it speed up, slow down, and even stop dead in its tracks without the riders' consent. Since the Segway miniPRO can travel at up to 10 mph, a sudden stop could throw the rider, causing serious injury or at least deep embarrassment. IOActive revealed its findings on Wednesday.
Discovered by security researcher Thomas Kilbride last year, the Segway vulnerability left open Bluetooth communication between the dedicated Ninebot App and the Segway miniPRO. Kilbride used the access to bypass a communication PIN, which apparently was not required to establish communications, even though it is part of the initial setup. Kilbride explained his findings in the video below.
After intercepting Bluetooth communications, Kilbride reverse-engineered its protocol. Kilbride used a Bluetooth connection utility app (Nordic UART) to connect directly to the Segway miniPRO. He then used this connection to reset the PIN. Kilbride also employed the Ninebot app's built in "Find other riders near me" capabilities to target other Segway miniPROs.
Using the new PIN, Kilbride connected his local Ninebot app to a nearby Segway miniPRO and then uploaded a new piece of firmware. Apparently, the system did not include, according to IOActive's Security Advisory, any integrity checks on firmware images before accepting a firmware update.
By the time Kilbride was done, someone else's Segway miniPRO was under his control. Fortunately, Kilbride only performed proof-of-concept tests with knowing participants.
The good news is that IOActive is a white hat firm and informed Segway/Ninebot about the vulnerability last December. Segway/Ninebot, in turn, let IOActive know that the company had patched the critical issues in April.
While I'm happy that Segway/Ninebot took care of this massive security hole, the stunning lack of checks and balances in the original product are disturbing. There was no communication encryption, the PIN code wasn't hardwired into remote control, and firmware update protocols were sloppy at best.
Segway/Ninebot gets credit for building an excellent rideable that, unlike some early competitors, meets all the Underwriters Laboratories (UL) criteria for not catching on fire or blowing up, but they left us vulnerable in an equally dangerous way. Experts have reached out to Segway/Ninebot to confirm IOActive's findings and that the vulnerabilities were patched and will update this post with their response.
If you own a Segway miniPRO scooter, be sure you're running the latest Ninebot software (Version 4.0) and download the newest firmware (1.4.0). I just updated our scooter and plan to ride it again on Friday. Wish me luck.
Download SafeUM — communicate privately, without advertising and spam.
