When you imagine riding a Segway MiniPro electric scooter, your biggest concern is probably falling on your face. Much lower on that list? The notion that attackers could remotely hack your ride, make it stop short, or even drive you into traffic. Unfortunately, as one reacher found, they could have done just that.
When Thomas Kilbride got a Segway MiniPro, its paired mobile app piqued his interest; by day, Kilbride works as an embedded device security consultant at IOActive. The app already has fairly potent capabilities as designed. You can use it to remote control your scooter or shut it off when no one’s on it, and you could even use its social GPS tracking feature to show all Segway MiniPros in an area in real-time. But when Kilbride investigated the security behind those features, he found vulnerabilities that an attacker could exploit to bypass the hoverboard’s safety protections from afar, and take control of the device.
“I own a hoverboard, I use it quite frequently because parking is expensive,” Kilbride says. “I was surprised that the exploits were as accessible as they were. Something like a transportation device should be handled with the utmost care and security, because somebody could be thrown off of it or seriously injured if an attacker decides that they want to [hack] it.”
The Segway MiniPro app uses Bluetooth to connect to the vehicle itself. In addition to the features mentioned above, it can also change device settings and accept firmware updates to the scooter for tweaks and improvements. Think of it like a smart lighting app that talks to the bulbs.
While analyzing the communication between the app and the Segway scooter itself, Kilbride noticed that a user PIN number meant to protect the Bluetooth communication from unauthorized access wasn’t being used for authentication at every level of the system. As a result, Kilbride could send arbitrary commands to the scooter without needing the user-chosen PIN.
He also discovered that the hoverboard’s software update platform didn’t have a mechanism in place to confirm that firmware updates sent to the device were really from Segway (often called an “integrity check”). This meant that in addition to sending the scooter commands, an attacker could easily trick the device into installing a malicious firmware update that could override its fundamental programming. In this way an attacker would be able to nullify built-in safety mechanisms that prevented the app from remote-controlling or shutting off the vehicle while someone was on it.
“The app allows you to do things like change LED colors, it allows you to remote-control the hoverboard and also apply firmware updates, which is the interesting part,” Kilbride says. “Under the right circumstances, if somebody applies a malicious firmware update, any attacker who knows the right assembly language could then leverage this to basically do as they wish with the hoverboard.”
As if that weren’t enough, the Segway MiniPro app also provided one other tool to unintentionally aid in malicious activity. The GPS feature known as “Rider Nearby” acted as a sort of social platform for finding other MiniPro owners, but it’s easy to see how publicly available, persistent location tracking could be abused. As part of addressing Kilbride’s findings Segway discontinued the feature.
The good news is that IOActive disclosed the bugs to Segway, which is owned by Chinese scooter-maker Ninebot, in January, and the company addressed the bulk of the problems in an app update in April. As part of the changes, Segway added mechanisms like cryptographic signing to validate firmware updates, which should prevent full takeovers. It eliminated the Rider Nearby feature, and took steps to evaluate its Bluetooth communication protocols and security. Segway has not yet returned a request from WIRED for comment. Kilbride says the company was responsive to his disclosures, but notes that some weaknesses may still exist in the way users can access the device’s Bluetooth management interface. The severe attacks attacks Kilbride executed during his research aren’t possible anymore, though.
Although patched, the extensive exposure in a digitally connected vehicle still reinforces the very real dangers of device hacking. IoT vulnerabilities have already led to real-world harm in many incidents, and “smart” transportation has long posed clear physical safety risks if left unsecured. For Segway, pairing an internet-connected device with a Bluetooth-enabled vehicle created exposures that a standalone scooter without digital connectivity would have avoided.
In terms of existential dread, you can find some reprieve in knowing that most hackers are seeking profit, and there isn’t a lot of money to be made in maiming Segway riders. But stealing Segways, which someone could have done with Kilbride’s exploits, could be a genuinely appealing scheme.