For a time, Segway miniPRO hoverboards could have been hijacked by hackers

For a period, hoverboards were one of the hottest items to buy until some local jurisdictions started banning their use after having classified "Swagways" as powered devices and unfit for use on roads. While Amazon UK followed up by prohibiting hoverboards from being sold on its website, sales continued in the US with one family losing their home to a fire caused by a faulty battery inside one such device.

Now, hoverboards have gained the attention of hackers and the security community, specifically units that can be controlled via a smartphone app. Thomas Kilbride, a security consultant at IOActive, headed up eight months of research that focused specifically on the Ninebot by Segway miniPRO hoverboard and its mobile app, firmware, and other associated software. Of particular interest was the Bluetooth connection that, on the miniPRO, cannot actually be turned off.

Ultimately, his team"s efforts paid off and, according to IOActive"s press release, allowed them to:

"...bypass safety systems and remotely take control of the device, including changing settings, pace, direction, or even disabling the motor and bringing it to an abrupt and unexpected stop while a rider is in motion."

Of notable concern was the ability for an attacker to perform unauthenticated firmware updates after having leveraged a vulnerability in the device, with Kilbride commenting that:

"FTC regulations do require scooters to meet certain mechanical and electrical specifications to help avoid battery fires and various mechanical failures. However, there are currently no regulations centered on firmware integrity and validation, despite being integral to the safety of the system. As my research indicates, this lack of regulation could lead to a number of dangerous situations."

In addition to the above, the researcher also discovered that hoverboards in a given area could easily be located given that they were "indexed using their smart phone’s GPS." This understanding could have then led to specific hoverboards being tracked down and compromised, with control then seized from their unknowing operators.

IOActive will be in attendance at the Black Hat cybersecurity conference next week where it will make public its full research. However, before anyone conjures up ideas of gathering an armada of compromised hoverboards, the research firm already disclosed the issue to Segway back in December 2016 which was then fully patched in April of this year. In the meantime, IOActive has published its security advisory on its website.

Source: IOActive via CNET

Report a problem with article
Next Article

Google begins deployment of Play Protect to Android devices

Previous Article

Gigantic is finally available on Steam, Arc, Xbox One, and Windows 10