Researchers at the Department of Computer Science of the University
of Texas at San Antonio (UTSA) have recently exposed
vulnerabilities in the micromobility ecosystem that may compromise the
security, safety and privacy of users of battery-powered electric scooters.
According to the study led by assistant professor Murtuza
Jadliwala, the risks are not bound to the electric scooter itself, but also
extend to related software services and applications.
The research comes amid the growing popularity of e-scooter
as an option to ease or bypass traffic congestion, with service providers
offering riders easy payment options, flexible drop-offs and geo-location at
the tap of a button.
The full research paper, to be presented at AutoSec in March
2020, tackles multiple angles that can be used by threat actors including:
- exploiting vulnerabilities in the smartphone
application and the communication channels - exfiltrating data from service providers
- eavesdropping on riders over these channels
using hardware or software - spoofing GPS systems to direct riders to
unintended locations
One key factor that promotes the attacks is linked to the
Bluetooth Low Energy (BLE), which most electric scooters rely on. To make use
of the vehicle, a rider needs both Bluetooth and Internet data activated on his
smartphone.
In a published sample of the study,
the researchers also warn of physical damages that may affect a rider if any of
the electronic and mechanical components are tampered with.
“Once the e-scooter is acquired, the attacker can install
malicious modules, remove or replace key components before placing it back in
the streets to control the e-scooter remotely or to covertly gather data about
the e-scooter and populace near the e-scooter,” the authors wrote.
The paper says attackers “can intentionally injure the
victim rider by remotely manipulating or interfering on the with the
e-scooter’s brakes, damaging the tires or other physical damage that could
incapacitate the e-scooter.”
An additional risk relates to the personal and sensitive
data that is automatically collected by service providers. If data sharing is
unregulated and not anonymized, the information can be used to create user
profiles. An attacker “can use the information to learn about the users and
then strategically place e-scooters on road, entice riders with suitable social
media advertisements, etc.”