SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
20 Jul 2017

Researchers exploit dangerous Segway miniPRO vulnerability

A scooter you can also remote control sounds cool, until you find out it can be hacked. Then it's not cool at all — it's terrifying.

Every Friday, I ride an electric Segway/Ninebot miniPRO around the office. It's my favorite rideable (A.K.A. balance board, A.K.A., hoverboard). It's also the only one that includes a remote control that I can use to send it running around the office on its own.

The remote control does not work when I'm standing on the Segway miniPRO, which itself is essentially a tiny version of the original self-balancing mobility device introduced 16 years ago by inventor Dean Kamen. Aside from the size, the other major difference is from the original Segway is that instead of using handles to steer the scooter, the miniPRO employs a knee-height stem for direction control.

But researchers at IOActive figured out how to hack into the Segway miniPRO and trigger remote-control features while someone is riding the board, making it speed up, slow down, and even stop dead in its tracks without the riders' consent. Since the Segway miniPRO can travel at up to 10 mph, a sudden stop could throw the rider, causing serious injury or at least deep embarrassment. IOActive revealed its findings on Wednesday.

Discovered by security researcher Thomas Kilbride last year, the Segway vulnerability left open Bluetooth communication between the dedicated Ninebot App and the Segway miniPRO. Kilbride used the access to bypass a communication PIN, which apparently was not required to establish communications, even though it is part of the initial setup. Kilbride explained his findings in the video below.

After intercepting Bluetooth communications, Kilbride reverse-engineered its protocol. Kilbride used a Bluetooth connection utility app (Nordic UART) to connect directly to the Segway miniPRO. He then used this connection to reset the PIN. Kilbride also employed the Ninebot app's built in "Find other riders near me" capabilities to target other Segway miniPROs.

Using the new PIN, Kilbride connected his local Ninebot app to a nearby Segway miniPRO and then uploaded a new piece of firmware. Apparently, the system did not include, according to IOActive's Security Advisory, any integrity checks on firmware images before accepting a firmware update.

By the time Kilbride was done, someone else's Segway miniPRO was under his control. Fortunately, Kilbride only performed proof-of-concept tests with knowing participants.

The good news is that IOActive is a white hat firm and informed Segway/Ninebot about the vulnerability last December. Segway/Ninebot, in turn, let IOActive know that the company had patched the critical issues in April.

While I'm happy that Segway/Ninebot took care of this massive security hole, the stunning lack of checks and balances in the original product are disturbing. There was no communication encryption, the PIN code wasn't hardwired into remote control, and firmware update protocols were sloppy at best.

Segway/Ninebot gets credit for building an excellent rideable that, unlike some early competitors, meets all the Underwriters Laboratories (UL) criteria for not catching on fire or blowing up, but they left us vulnerable in an equally dangerous way. Experts have reached out to Segway/Ninebot to confirm IOActive's findings and that the vulnerabilities were patched and will update this post with their response.

If you own a Segway miniPRO scooter, be sure you're running the latest Ninebot software (Version 4.0) and download the newest firmware (1.4.0). I just updated our scooter and plan to ride it again on Friday. Wish me luck.


Download SafeUM — communicate privately, without advertising and spam.

Tags:
information leaks hackers
Source:
Mashable
Author:
Lance Ulanoff
1465
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015