Two security researchers have revealed that they have found a way to hack into the Bluetooth controllers of electric skateboards, seizing control, and potentially sending their riders crashing to the ground.
Speaking to Wired, Mike Ryan and Richard “Richo” Healey, revealed that they first became interested in how easily electric skateboards might be hacked after Healey’s board became uncontrollable last year when he rode into an intersection in Melbourne, Australia.
The area, apparently, was well known for radio interference caused by a bombardment of Bluetooth devices all trying to communicate.
So, Healey hadn’t been hacked – his skateboard had just suffered an (accidental) denial-of-service attack. But his interest, and that of his fellow researcher Mike Ryan, had been piqued.
The two came up with an exploit they dubbed “Faceplant” – interrupting the Bluetooth Low Energy connection between the board and its handheld remote control, and then hijacking control to change direction, alter the speed or disable the brakes:
Because the Bluetooth communication is not encrypted or authenticated, a nearby attacker can easily insert himself between the remote and the app, forcing the board to connect to his laptop. Once he achieves this, he can stop the skateboard abruptly, ejecting the rider, send a malicious exploit that causes the wheels to suddenly alter direction and go in reverse at top speed, or disable the brakes. An attacker can also simply jam the communication between the remote and the board while a driver is on a steep hill, causing the brakes to disengage.
The exploit is demonstrated in the following YouTube video:
So far, the researchers have found a way of exploiting a vulnerability in the Boosted electronic skateboard, which sells for an eye-watering $1500, as well as a board made by Revo. A further exploit named “Road Rash” is in the works for the Chinese manufactured E-Go board.
It appears that the electronic skateboard manufacturers have failed to properly secure the communications between the boards and the handheld controllers – with no encryption or authentication being used.
So, if you aren’t a skateboarder should be concerned about this?
Well, aside from the risk that you might be a passer-by or motorist who is hit by a tumbling skateboarder, there *are* other reasons to be concerned.
Because news of this skateboard hack is just the latest in a long line of hacks that are increasingly highlighting the weakness of the Internet of Things.
How many other manufacturers are rushing to connect their devices up to the internet, with little care or thought to the possible security implications?