"A closer look at the Android app and Bluetooth traffic showed that locking, unlocking, and basic status checks all occur locally over Bluetooth, with the cloud mostly along for the ride. Before accepting commands, the scooter runs a simple authentication check: it sends a short challenge, the app replies with a cryptographic response, and access is granted. It's designed to stop random passers-by from hopping on and riding off. In theory, at least."
"In practice, the secret used to generate that response was, Moorats claims, never properly set. Instead of a unique key per scooter, the manufacturer shipped all models with the same placeholder value: a default private key that appears to have been intended to be replaced before production and simply never was. Once Moorats had worked that out, unlocking his own scooter without the cloud was trivial, and the exact same method works on every other Äike scooter within Bluetooth range, he says."
An owner and security researcher reverse-engineered an app-controlled electric scooter after its manufacturer, Äike, went bankrupt. Analysis of the Android app and Bluetooth traffic revealed that locking, unlocking, and status checks occur locally over Bluetooth while the cloud played a supporting role. The scooter requires a cryptographic challenge-response exchange before accepting commands, but the manufacturer shipped all units with the same placeholder private key that was never replaced. Using that default key, the researcher was able to unlock his scooter and demonstrate that any nearby Äike scooter can be unlocked with a short proof-of-concept script and common tools.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]