Seattle, WA – July 19, 2017 – IOActive, Inc., a global security consulting firm and the worldwide leader in research-driven security services, today released new research exposing security vulnerabilities found in the Segway/Ninebot MiniPRO Hoverboard. IOActive researchers evaluated the flaws and determined they were of critical risk, leaving the hoverboards vulnerable to attack. If exploited, an attacker could bypass safety systems and remotely take control of the device, including changing settings, pace, direction, or even disabling the motor and bringing it to an abrupt and unexpected stop while a rider is in motion.
The research was conducted by IOActive Embedded Devices Security Consultant, Thomas Kilbride, and is documented in a Security Advisory available on the IOActive website here.
“FTC regulations do require scooters to meet certain mechanical and electrical specifications to help avoid battery fires and various mechanical failures,” said Kilbride. “However, there are currently no regulations centered on firmware integrity and validation, despite being integral to the safety of the system. As my research indicates, this lack of regulation could lead to a number of dangerous situations.”
During the past eight months, Kilbride tested mobile applications, firmware images, and other software in order to identify the flaws. He found that once a vulnerability had been exploited, he could essentially gain full control of the scooter. Kilbride was able to perform a firmware update of the scooter’s control system without authentication and modify the controller firmware to remove rider detection. Additionally, he determined that an attacker could make a hoverboard stop suddenly, creating the risk for serious injury.
“Using reverse engineering and protocol analysis, I was able to discover a number of worrisome security threats,” continued Kilbride. “For example, I determined that riders in the area were indexed using their smart phone’s GPS. Therefore, each rider’s location was publicly available, so the hoverboards could be found, tracked, hijacked, and controlled without the rider’s knowledge.”
The advisory also discusses the steps that should be taken by manufacturers to mitigate the various risks presented by the vulnerabilities identified, including firmware integrity checking, encryption, PIN authentication, and more.
IOActive disclosed the vulnerabilities to Segway/Ninebot, and the company subsequently released a new version to address some of the issues identified and informed IOActive of the fixes.
The research will be included in a presentation Kilbride will give at IOActive’s IOAsis event next week during Black Hat USA 2017 in Las Vegas. His session takes place on Wednesday, July 26 from 1:50 p.m. – 2:40 p.m. PT in Palm B Room in Mandalay Bay.
IOActive’s research team also put together a short video that demonstrates this Segway research here: https://www.youtube.com/watch?v=lq3EPiG5guk&feature=youtu.be
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, US, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information. Read the IOActive Labs Research Blog: http://blog.ioactive.com. Follow IOActive on Twitter: http://twitter.com/ioactive.