Thomas Kilbride, a security researcher from security firm IOActive, have discovered several critical vulnerabilities in Segway Ninebot miniPRO that could be exploited by hackers to remotely take "full control" over the hoverboard within range and leave riders out-of-control.
Segway Ninebot miniPRO is a high-speed, self-balancing, two-wheel, hands-free electric scooter, also known as SUV of hoverboards, which also allows it riders to control the hoverboard by a Ninebot smartphone app remotely.
Ninebot smartphone app allows riders to adjust light colours, modify safety features, run vehicle diagnostics, set anti-theft alarms, and even remotely commanding the miniPRO scooter to move.
In a blog post published today, Thomas has disclosed a series of critical security vulnerabilities in Segway's miniPRO scooter, and we have compiled them in a simple, understandable format below:
- Security PIN Bypass — A potential attacker can use the modified version of the Nordic UART app to connect Segway Ninebot miniPRO via Bluetooth without requiring any security PIN.
- Unencrypted Communications — Ninebot App & the Hoverboard communicates over an unencrypted channel, allowing a remote attacker to perform man-in-the-middle attacks and inject malicious payloads.
- No Firmware Integrity Verification — Lack of unencrypted communication and Firmware integrity verification mechanism to detect unauthorised changes allows an attacker to push malicious firmware update.
- Reveal GPS Location of Nearby Riders — GPS feature in Ninebot App known as "Rider Nearby," which lets users to find other nearby miniPro riders in the real-time, exposes hoverboard location through the phone's GPS publicly to potential attackers and thieves.
If exploited, these vulnerabilities could at one time be used to disrupt the device's settings, speed, the direction of movement and internal motor.
Thomas has also provided a video demonstration showing how he was able to push the malicious firmware update to the miniPro, leaving the device open to further hacks.