E-scooters simple to hack, says researcher

Name: Focus: Mike Hosking tries out Lime e-Scooters
Uploaded: 2018-10-31T13:11:48+13:00
Duration: 124 s
Description: Newstalk ZB Breakfast host Mike Hosking hates public transport, but wants to find out if Lime e-scooters could be the solution.

By Juha Saarinen

Tech blogger for nzherald.co.nz.·NZ Herald·

19 Nov, 2018 11:37 PM3 mins to read

Newstalk ZB Breakfast host Mike Hosking hates public transport, but wants to find out if Lime e-scooters could be the solution.

The hugely popular Chinese-made rental e-scooters are not only potentially unsafe to ride but suffer from poor security making them easily hackable, a researcher has found.

Geneticist and well-known Linux developer Matthew Garrett who now works for Google showed how easily e-scooters, such as those operated by Lime, can be unlocked without authorisation and their riders tracked, at the Kiwicon IT security conference in Wellington.

Garrett found much of the information he needed for this in the Java-based Android apps that users run on their smartphones to rent scooters from multiple vendors. He was also able to query the servers the apps connected to over the internet for further information, without access restrictions.

In the process, Garrett discovered that the same six-digit unlock code works for all scooters of a particular brand.

With this knowledge, anyone with moderate technical skills can use the scooters without paying. Since the Global Positioning System (GPS) tracking device on e-scooters is independent of their digital management systems, all that the rental company would see remotely are two-wheelers zooming around supposedly without any riders on them.

Unauthorised access to the management system on e-scooters could also be abused to switch them off while riders use them, or to manipulate the accelerators with potentially disastrous consequences.

There are privacy impacts as well from the poor security of e-scooters' management system.

Renters' rides can be silently tracked in real-time as servers can be queried for, and will reveal the GPS-reported location of e-scooters to anyone.

This can be done at scale as well: Garrett was able to issue over a million queries to the servers for e-scooter information, after which the servers limited the amount of requests.

Tracking and mapping riders can be done globally, in all the countries a company is active in.

Garrett noted it was possible to figure out who works for the United States government through the information leakage.

Furthermore, the poorly thought out security meant competitors could easily access sensitive company data and use the information to their advantage.

E-scooters have shot to popularity in New Zealand over the past few months, and have been criticised for being dangerous for both riders and the pedestrians they share the pavement with due to their relatively high speeds.

Auckland Council last week said it would crack down on e-scooter safety, mandating the wearing of helmets, and limiting the speeds at which the two-wheelers can travel.

Police would enforce the new rules for e-scooters and their riders, Auckland Council said.

The Herald has contacted Lime for comment.