Industry News

A skateboard with Bluetooth? Yep, that can be hacked with FacePlant

Two security researchers have revealed that they have found a way to hack into the Bluetooth controllers of electric skateboards, seizing control, and potentially sending their riders crashing to the ground.

Speaking to Wired, Mike Ryan and Richard “Richo” Healey, revealed that they first became interested in how easily electric skateboards might be hacked after Healey’s board became uncontrollable last year when he rode into an intersection in Melbourne, Australia.

The area, apparently, was well known for radio interference caused by a bombardment of Bluetooth devices all trying to communicate.

So, Healey hadn’t been hacked – his skateboard had just suffered an (accidental) denial-of-service attack. But his interest, and that of his fellow researcher Mike Ryan, had been piqued.

The two came up with an exploit they dubbed “Faceplant” – interrupting the Bluetooth Low Energy connection between the board and its handheld remote control, and then hijacking control to change direction, alter the speed or disable the brakes:

Because the Bluetooth communication is not encrypted or authenticated, a nearby attacker can easily insert himself between the remote and the app, forcing the board to connect to his laptop. Once he achieves this, he can stop the skateboard abruptly, ejecting the rider, send a malicious exploit that causes the wheels to suddenly alter direction and go in reverse at top speed, or disable the brakes. An attacker can also simply jam the communication between the remote and the board while a driver is on a steep hill, causing the brakes to disengage.

The exploit is demonstrated in the following YouTube video:

So far, the researchers have found a way of exploiting a vulnerability in the Boosted electronic skateboard, which sells for an eye-watering $1500, as well as a board made by Revo. A further exploit named “Road Rash” is in the works for the Chinese manufactured E-Go board.

It appears that the electronic skateboard manufacturers have failed to properly secure the communications between the boards and the handheld controllers – with no encryption or authentication being used.

So, if you aren’t a skateboarder should be concerned about this?

Well, aside from the risk that you might be a passer-by or motorist who is hit by a tumbling skateboarder, there *are* other reasons to be concerned.

Because news of this skateboard hack is just the latest in a long line of hacks that are increasingly highlighting the weakness of the Internet of Things.

Wearable fitness trackers, sniper rifles, and even Jeeps driving at 70mph down a busy highway have all been found vulnerable to hackers in the last few weeks.

How many other manufacturers are rushing to connect their devices up to the internet, with little care or thought to the possible security implications?

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment
  • “…manufacturers are rushing to connect their devices up to the internet, with little care or thought to the possible security implications…”

    Yup. In a sane world (defined here as “one that does not seek ways of complicating things that are better off left simple”), a skateboard would remain a skateboard. Not so in a world apparently obsessed with “the Internet of Things”.

    But then, a skateboard with internet connectivity is only slightly more absurd than one that sells for $1,500.