Claim: An anti theft system allowing attackers to kill remotely the engine in electric scooters made by INOKIM/MyWay, affected model - model Quick 3.
MYWAY/INOKIM created new model - Quick 3, This model has new mobile phone app.
The app has anti theft system, which allows the owners to remotely deactivate the engine, in any situation (on move or during parking), this by using Bluetooth connection to BT module in the electric scooter, It’s a feature.
Malicious attacker can use this Anti-Theft feature, in order to deploy easy attack, and shot down the engine of the scooter, even while the driver is using it in high speed
Potential causalities can be injury or death.
The serial number of the scooter (VIN) just like cars, is shown on the scooter with no physical protection, and that basically all you need to know in order to deploy an easy attack..
The anti thief option in the app, can be trigger any time as long as you have the VIN (Inokim serial number).
Risk: loosing control, Death, injury, road accidents etc.
Technical info:
Attacker can use at least two options in order to deploy attack:
1.VIN and Bluetooth
The VIN, a serial number of the scooter which supposed to be secret due to the potential uses, is shown on the shooter like many other cars, so attacker can take a picture of the scooter frame, or just look at it, and then he can deploy attack with temporary username in the app, and verification by VINs of any scooter out there.
2.Remote control of victim's mobile phones, can allow attacker to control the phone of the owner/target remotely and then deploy an attack even from another country.
Example: Mircast, Trojan horse, spy software with full control of the phone, team-viewer, VNC.
Status:
Company didn't answer to emails sent by
29.07.2017
07.10.2017
National Cyber Security Authority in Israel, got notified and, no update has been given regards proactive changes in the company.
Since the feature is made by design, and supposed to help preventing people from stealing the scooters, it's logic security problem, and not typical mistake, they knew about it.
P.S.
1.The way I got into the VIN problem, is by informers who shared with me the fear of using those scooters, included of live demo they made on their device, of how the scooter can be shot down remotely, in high speed.
The idea of using Mircast or Trojan horse and remote controlling the owner app is mine.
Since at least 3 other people knew about the problem, before it came to my attention, I decided that I must share it now.
Moreover, my research show that connected bikes and connected scooters are becoming very popular, so the community attention must be higher, into engines with remote killing switch..
I believe that international ISO, should make new working groups regards those small vehicles, protecting cars only can’t cover the immediate situation in the streets, we need to make cyber regulation for the new era of mini connected electric vehicles.
You are welcome to contact me for any request
Sources:
Video of the ECU and BT controller.
Android App
IOS app
User Guide Manual
Amitay Dan (popshark1)
