Xiaomi M365 scooters can be hacked and managed remotely

Xiaomi M365 electric scooters are vulnerable – the security problem in these vehicles was discovered by expert Reni Idan from Zimperium, a company that sells exploits. The gap is so serious that it can allow an attacker to remotely control electric scooters – suddenly slow down or accelerate the vehicle.

The problem lies in the way Xiaomi M365 users are authenticated. Passwords required for authentication in the scooter system are used incorrectly, since they are checked only on the application side.

The scooter itself does not monitor the authentication process, which leads to a serious bug – all commands can be executed without the need to enter a password.

To demonstrate the vector of attack, the researcher first conducted a DoS attack on the M365, and then prepared the foundation for installing a malicious version of the firmware, which allows you to gain complete control over the scooter.

Zimperium has even created a special proof-of-concept code in the form of a malicious application. This application can search for nearby Xiaomi M3656, and then exploit the vulnerability found in these devices.

At the very process of the attack can be viewed in the video, which we present below: