A helmet may not be enough to keep you safe(r)
while riding an e-scooter
Electric scooters are
steadily becoming a popular alternative for short commutes. Besides
convenience, however, they also introduce a range of cybersecurity and privacy
risks, according to a study by the University of Texas at
San Antonio (UTSA).
The review – which UTSA said is “the first review of
the security and privacy risks posed by e-scooters and their related software
services and applications” – outlines various attacks scenarios that riders
might face and suggests measures to tackle the risks.
Many e-scooters rely on a
combination of Bluetooth Low Energy (BLE) and the rider’s smartphone internet
connection to run, as well as to send data to the service provider. This opens
up a number of avenues for potential attacks. For example, bad actors could
eavesdrop on the data being broadcast, which could, in turn, lead to Man-in-the-Middle (MitM) and replay attacks. As a result, in some
cases hackers could remotely inject commands to take control of the scooter and
harm the rider or pedestrians. In fact, this very risk was already discovered
in one of Xiaomi’s scooters last year.
A scooter’s battery,
engine, brakes, headlights and controller chip are among the key components
that can be targeted during a physical attack. Attackers can then swap out key
components or install “malicious modules” allowing them to remotely control the
scooter or gather private information on the sly. By remotely manipulating the
brakes and acceleration, the bad actor can injure the rider and/or other
people.
Micromobility apps usually
track the e-scooters’ whereabouts, which means that location spoofing is
another thing to worry about. Bad actors can, for example, lure a rider to a
secluded area to harm them.
E-scooter providers require
a wide range of information from the riders to sign up for their service.
Usually, these include some form of identification, along with billing, contact
and demographic information. The providers automatically collect additional
data, including GPS and smartphone-specific information. Attackers with access
to such data can create a comprehensive image of riders’ habits, places they
frequent, and routes they are likely to use.
Most of the risks can be
mitigated by implementing cybersecurity best practices. Employees recharging
the scooters could check their mechanical or electrical components to make sure
nobody had tampered with the scooters. As for the looming privacy risks, one of
the best steps would be to implement a privacy-by-design approach for the applications, making the parts
that handle data inaccessible to unauthorized personnel. In addition, data
traffic monitoring would help the service provider to react to threats in
real-time.