Researchers at the Department of Computer Science of the University of Texas at San Antonio (UTSA) have recently exposed vulnerabilities in the micromobility ecosystem that may compromise the security, safety and privacy of users of battery-powered electric scooters.
According to the study led by assistant professor Murtuza Jadliwala, the risks are not bound to the electric scooter itself, but also extend to related software services and applications.
The research comes amid the growing popularity of e-scooter as an option to ease or bypass traffic congestion, with service providers offering riders easy payment options, flexible drop-offs and geo-location at the tap of a button.
The full research paper, to be presented at AutoSec in March 2020, tackles multiple angles that can be used by threat actors including:
- exploiting vulnerabilities in the smartphone application and the communication channels
- exfiltrating data from service providers
- eavesdropping on riders over these channels using hardware or software
- spoofing GPS systems to direct riders to unintended locations
One key factor that promotes the attacks is linked to the Bluetooth Low Energy (BLE), which most electric scooters rely on. To make use of the vehicle, a rider needs both Bluetooth and Internet data activated on his smartphone.
In a published sample of the study, the researchers also warn of physical damages that may affect a rider if any of the electronic and mechanical components are tampered with.
“Once the e-scooter is acquired, the attacker can install malicious modules, remove or replace key components before placing it back in the streets to control the e-scooter remotely or to covertly gather data about the e-scooter and populace near the e-scooter,” the authors wrote.
The paper says attackers “can intentionally injure the victim rider by remotely manipulating or interfering on the with the e-scooter’s brakes, damaging the tires or other physical damage that could incapacitate the e-scooter.”
An additional risk relates to the personal and sensitive data that is automatically collected by service providers. If data sharing is unregulated and not anonymized, the information can be used to create user profiles. An attacker “can use the information to learn about the users and then strategically place e-scooters on road, entice riders with suitable social media advertisements, etc.”