Hackers can remotely control, hijack a Segway MiniPro hoverboard

Leading up to the Black Hat conference, IOActive shows how a Segway Ninebot MiniPro hoverboard can be hijacked.

Hackers can remotely control, hijack a Segway hoverboard

The Segway Ninebot MiniPro may have “15 safety controls,” including one that would prevent the hoverboard’s motor from shutting off while a rider is standing on it, but stopping an attacker hacking the Bluetooth connection and hijacking the hoverboard was not one of them.

Unless you or a loved one owns a Segway hands-free Ninebot MiniPro hoverboard, this may seem like the first of the silly hacks that will come out of the Black Hat security conference. However, if you ride a Ninebot, then there is nothing silly about the possibility of a remote attacker causing you to faceplant on the sidewalk.

IOActive researcher Thomas Kilbride discovered an attacker could bypass the Ninebot MiniPro’s safety system remotely. If an attacker were to exploit security vulnerabilities in the Segway hoverboard app, then she could disable the motor and bring the MiniPro to an abrupt stop while the rider is in motion, change settings and direction, and even lock users out.

An attacker needs just 20 seconds of Bluetooth connection to carry out an attack, Kilbride told Forbes, but “it may be sped up using other means.”

He used reverse engineering and protocol analysis to find the “worrisome security threats.” Kilbride gave this example: “I determined that riders in the area were indexed using their smartphone’s GPS. Therefore, each rider’s location was publicly available, so the hoverboards could be found, tracked, hijacked and controlled without the rider’s knowledge.”

The location aspect, according to the security advisory (pdf), “makes weaponization of an exploit much easier for an attacker.” In that same advisory, IOActive walks us through the nine steps of the proof-of-concept attack.

This video includes a demonstration of what Kilbride could remotely do to exploit security flaws in the Segway Ninebot MiniPro app.

Whether or not a rider set a PIN when first prompted by the app, the hoverboard doesn’t change the default PIN. Kilbride said on the IOActive blog, “This allowed me to connect over Bluetooth while bypassing the security controls. I could also document the communications between the app and the hoverboard, since they were not encrypted.”

IOActive warned:

A malicious attacker could potentially perform one or more of the following behaviors:

  • Malicious firmware updates
  • Remote code execution/control
  • Device tracking and theft of self-balancing vehicles with the potential to circumvent critical safety interlocks

The vulnerabilities were disclosed to Ninebot in December. In April, the company released an updated app that fixed some of IOActive’s findings. Users should keep the Ninebot app updated, but IOActive added, “We also recommend that consumers avoid hoverboard models with Bluetooth and wireless capabilities."

“FTC regulations do require scooters to meet certain mechanical and electrical specifications to help avoid battery fires and various mechanical failures,” said Kilbride. “However, there are currently no regulations centered on firmware integrity and validation, despite being integral to the safety of the system. As my research indicates, this lack of regulation could lead to a number of dangerous situations.”

Kilbride will present his findings at Black Hat on July 26 from 1:50 p.m. to 2:40 p.m. PT in Palm B Room in Mandalay Bay.

Related:
NEW! Download the Winter 2018 issue of Security Smart