Hackers could cause road traffic collisions by taking over electric scooters

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

Hackers could have used a vulnerability in electric scooters to cause road traffic collisions, researchers have revealed.

They found a number of “critical” security flaws in a popular type of self-balancing electric scooter – also widely known as a ‘hoverboard’ – that could let criminals remotely take control of one, even if it was being driven at the time.

If they wanted to, they could throw the rider off by making it come to an abrupt stop, or even drive it into traffic.

IOActive researcher Thomas Kilbride discovered the issue with the Ninebot by Segway MiniPRO, a model that costs around £700 and can reach speeds of 10mph.

He was able to seize full control of it by “[performing] a firmware update of the scooter’s control system without authentication and [modifying] the controller firmware to remove rider detection”, says the security firm.

“Most riders are in close proximity to automotive traffic and if someone were to fall off at the wrong time then it could easily result in a serious traffic injury or death,” Mr Kilbride told the Independent.

He added: “FTC regulations do require scooters to meet certain mechanical and electrical specifications to help avoid battery fires and various mechanical failures.

“However, there are currently no regulations centered on firmware integrity and validation, despite being integral to the safety of the system. As my research indicates, this lack of regulation could lead to a number of dangerous situations.”

So-called hoverboards became popular back in 2015, but soon came under intense scrutiny after models started catching fire.

While it’s illegal to ride them on roads in the UK, you can ride them on private land, such as a front garden.

“With the proper equipment an attacker would be able to attack multiple hoverboards, but only if they were within Bluetooth range,” Mr Kilbride continued.

“As with all wireless systems, it’s hard to put exact measurements on a maximum range. With specialised equipment I’m comfortable saying that an attacker could run this exploit at a couple hundred feet, but we have not tested this. With standard Bluetooth equipment (i.e. a smartphone) then the range would be about 10m or 33ft.”

IOActive disclosed the vulnerabilities to Segway, which has now addressed the issues.