- Mobile security firm Zimperium says it has found a flaw in a popular brand of electric scooter that allows a remote party to lock it from as much as 100 meters away. The flaw would also allow a hacker to deploy malware that would take over the scooter, or force a vehicle to accelerate or brake suddenly.
- Zimperium identified the problem with the Xiamo M365 scooter, which is used in Bird’s fleet. In a statement to The Verge, a Bird spokesman said its scooters are not affected by the security flaw.
- In a response to Zimperium, manufacturer Xiamo said it was a "known issue internally," and Xiamo was working with third parties on a solution.
It’s unclear how many scooter fleets rely on Xiamo vehicles, as many fleets also use Segway vehicles. A spokesman for Lime told The Verge that it does not use the M365 scooters, but Zimperium says the manufacturer’s scooter can be rebranded and sold under different names. It’s also unclear if the hack — which involves going through the scooters’ Bluetooth systems used for remote management — could be tweaked to affect other models.
Although Xiamo says they are aware of the problem, fixing it could be difficult if it requires coordination among the manufacturer and fleet operators. Zimperium writes that the security needs to be updated by Xiamo or a third party, "and cannot be fixed easily by the user."
The news of the flaw comes amid increasing scrutiny for scooters and especially their safety risks for riders. Just this week, the family of a Fort Lauderdale, FL woman announced it would sue Lime over a crash that left the woman in a vegetative state. The Centers for Disease Control and Prevention is also doing the first epidemiological study on dockless scooters' health risk, and a recent Consumer Reports investigation linked 1,545 injuries to scooters across the country.
With more cities adapting to the presence of scooters and writing new regulations, potential security flaws in the vehicles themselves is likely to be a challenge that is prioritized down the line. The potential for vehicles to be hacked could also invite increased disclosure to consumers on which manufacturers are making the vehicles.