Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Segway hoverboard hijack hack could make hipsters eat pavement

Wheel-diculous Bluetooth security revealed

The latest two-wheel transporter toy from Segway was disturbingly easy to hack, with miscreants requiring just seconds to take control of a vehicle, we're told.

Researchers at hacking house IOActive probed the Chinese Segway miniPro, and said they found the wireless link between the machine and its accompanying mobile app was insecure – allowing anyone in radio range to potentially reconfigure and commandeer passing rides.

In a talk due to be given at next week’s Black Hat conference in Las Vegas, Thomas Kilbride, embedded devices security consultant for IOActive, will explain how it was possible to disable the anti-theft system on the miniPro in seconds via Bluetooth, with full control achievable in less than half a minute using a smartphone.

The problem, as is all too common with Internet of Sh!t devices, was in the communications: the Segway's firmware talked to its Android and iOS apps using exploitable chatter. Although the apps use a PIN system to authenticate with the vehicle, a suitable script on, say, an attacker's laptop could fire the right signals over Bluetooth at the hardware to reset the PIN to something they know. With the new code, the miscreant could use the standard app to connect to and take over the miniPro.

“The Bluetooth PIN code is essentially cosmetic,” Kilbride told The Register. “You don’t need the PIN to run privileged commands, and so you can reset its controls to your device with a simple script.”

Once past the PIN barrier, an attacker would have full access to the Segway. That would be enough to disable the anti-theft system that comes with the scooter and to use the “find riders nearby” function to identify additional targets.

Because the firmware and its applications didn't use any kind of certificate signing or key exchange, an attacker with a bit more time on their hands could have caused all kinds of mayhem. In less than 30 seconds, Kilbride was able to flash a custom firmware update onto a hijacked scooter that gave even more control than the manufacturers would like.

For example, the miniPro app and the standard firmware allows the user to remotely control the scooter if it’s freestanding, but not if someone is riding it. With a modified version of the app, and a customized firmware injected, an attacker could take control of the Segway while it was being ridden and bring it to a sudden stop, catapulting the rider into the ground. Tricky but not impossible.

Those dreaming of sending hipsters crashing into the dirt can forget it, though. IOActive followed responsible disclosure, and the holes have now been patched, apparently: a firmware update addressing the security weaknesses was pushed to owners' phones and onto the rides. It's possible everyone is now up to date. That this was possible at all shows some progress is being made in IoT security.

Two years ago researchers demonstrated (sort of) at DEF CON that motorized skateboards were easy to hack using lousy Bluetooth security. It seems little has been learned since. ®

 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like