Wheel-diculous Bluetooth security revealed
Nice to look at, easy to hack. The Segway miniPro
The latest two-wheel transporter toy from Segway was disturbingly easy to hack, with miscreants requiring just seconds to take control of a vehicle, we’re told.
Researchers at hacking house IOActive probed the Chinese Segway miniPro, and said they found the wireless link between the machine and its accompanying mobile app was insecure – allowing anyone in radio range to potentially reconfigure and commandeer passing rides.
In a talk due to be given at next week’s Black Hat conference in Las Vegas, Thomas Kilbride, embedded devices security consultant for IOActive, will explain how it was possible to disable the anti-theft system on the miniPro in seconds via Bluetooth, with full control achievable in less than half a minute using a smartphone.
The problem, as is all too common with Internet of Sh!t devices, was in the communications: the Segway’s firmware talked to its Android and iOS apps using exploitable chatter. Although the apps use a PIN system to authenticate with the vehicle, a suitable script on, say, an attacker’s laptop could fire the right signals over Bluetooth at the hardware to reset the PIN to something they know. With the new code, the miscreant could use the standard app to connect to and take over the miniPro.
“The Bluetooth PIN code is essentially cosmetic,” Kilbride told The Register. “You don’t need the PIN to run privileged commands, and so you can reset its controls to your device with a simple script.”
Once past the PIN barrier, an attacker would have full access to the Segway. That would be enough to disable the anti-theft system that comes with the scooter and to use the “find riders nearby” function to identify additional targets.
Because the firmware and its applications didn’t use any kind of certificate signing or key exchange, an attacker with a bit more time on their hands could have caused all kinds of mayhem. In less than 30 seconds, Kilbride was able to flash a custom firmware update onto a hijacked scooter that gave even more control than the manufacturers would like.
For example, the miniPro app and the standard firmware allows the user to remotely control the scooter if it’s freestanding, but not if someone is riding it. With a modified version of the app, and a customized firmware injected, an attacker could take control of the Segway while it was being ridden and bring it to a sudden stop, catapulting the rider into the ground. Tricky but not impossible.
Those dreaming of sending hipsters crashing into the dirt can forget it, though. IOActive followed responsible disclosure, and the holes have now been patched, apparently: a firmware update addressing the security weaknesses was pushed to owners’ phones and onto the rides. It’s possible everyone is now up to date. That this was possible at all shows some progress is being made in IoT security.
Two years ago researchers demonstrated (sort of) at DEF CON that motorized skateboards were easy to hack using lousy Bluetooth security. It seems little has been learned since. ®
Rojenx is a leading concept artist who work appears in games and publications
Check out his personal gallery here