A helmet may not be enough to keep you safe(r) while riding an e-scooter
Electric scooters are steadily becoming a popular alternative for short commutes. Besides convenience, however, they also introduce a range of cybersecurity and privacy risks, according to a study by the University of Texas at San Antonio (UTSA).
The review – which UTSA said is “the first review of the security and privacy risks posed by e-scooters and their related software services and applications” – outlines various attacks scenarios that riders might face, as well as how to tackle the risks.
Many e-scooters rely on a combination of Bluetooth Low Energy (BLE) and the rider’s smartphone internet connection to run, as well as send data to the service provider. This opens up a number of avenues for potential attacks. For example, bad actors could eavesdrop on the data being broadcasted, which could, in turn, lead to Man-in-the-Middle (MitM) and replay attacks. Those could allow hackers to remotely inject commands and injure the rider or pedestrians. Last year, this risk was already discovered in one of Xiaomi’s scooters.
A scooter’s battery, engine, breaks, headlights and controller chip are among the key components that can be targeted during a physical attack. Attackers can then swap out key components or install “malicious modules” allowing them to remotely control the scooter or gather private information on the sly. By remotely manipulating the brakes and acceleration, the bad actor can injure the rider and/or other people.
Micromobility apps usually track the e-scooters’ whereabouts, which means location spoofing is another thing to worry about. Bad actors can, for example, lure a rider to a secluded area to harm them. Alternatively, it can make the scooter hard to find by giving it a fake random location, which would result in lost revenue for the provider.
E-scooter providers require a wide range of information from the riders to sign up for their service. Usually, these include some form of identification, along with billing, contact and demographic information. The providers automatically collect additional data, such as riders’ locations and their smartphone information. Attackers with access to the data can create a comprehensive image of riders’ habits, places they frequent, and routes they are likely to use.
Most of the risks can be mitigated by implementing cybersecurity best practices. Employees recharging the scooters could check their mechanical or electrical components to make sure nobody had tampered with the scooters. As for the looming privacy risks, one of the best steps would be to implement a privacy-by-design approach for the applications, making the parts that handle data inaccessible to unauthorized personnel. In addition, data traffic monitoring would help the service provider to react to threats in real-time.