Heads Up, Hoverboarders: Hackers Could've Hijacked Your Deck Mid-Hover
Researchers gained remote access to a rider's Segway via the official app.
Image: Shutterstock. Composition: Ben Sullivan
The Segway's had a tumultuous life. Once prophesized as a main method of transport in the new millennium, the vehicles never managed to go mainstream.
But 2016's fad of "hoverboards"—essentially Segways without handles—prompted a resurgence for the gyroscopic go-machines, with Segway releasing its own MiniPRO quasi-hoverboard last year, too. Fast forward to 2017, and riders can now control their Segway hoverboards with an app, because, well of course you can.
And what you're seeing here folks is a hoverboard being remotely shut off by a hacker, via that very app.
Earlier this year, a researcher at Washington-based security firm IOActive discovered a way of hacking into these Segway scooters through the app, meaning they could be remotely hijacked while a rider is moving.
IOActive disclosed the vulnerabilities to Segway in January, and the company subsequently released a new version of the app in April that remedied the critical issues. IOActive published its research on the vulnerabilities today, but Segway has yet to respond to my requests for comment on the matter.
"These devices can be controlled without special hardware up to 30 feet away. With special hardware, they can be controlled potentially hundreds of feet away," Thomas Kilbride, a security researcher at IOActive, told me.
Kilbride spent months testing mobile applications, various firmware versions, and other software to find vulnerabilities in the Segway/Ninebot MiniPRO hoverboard.
Eventually he realized that Segway's own app, optionally used by riders to activate their hoverboards and control settings like speed and sensitivity, can actually be used to send malicious firmware to the scooter via Bluetooth, with the help of a secondary Android application that helps bypass the security PIN.
Adding to the potential damage this vulnerability posed to hoverboard riders, the app's feature of publicly displaying the locations of nearby hoverboard riders meant that their hoverboards could be found, tracked, hijacked, and controlled without the rider's knowledge.
"An attacker would have to find the scooters using the 'Find Riders Nearby' function. Next, an attacker can send a special message to the scooter over Bluetooth, which allows the attacker to bypass a security PIN set by the owner of the hoverboard," Kilbride told me.
Once the security PIN has been bypassed, the hacker could have gotten access to the full range of controls the rider would have by pushing a firmware update onto the Segway, including remote controlling the scooter, turning the motor off mid ride, changing the colour of the brake lights, and even changing the security PIN to lock the owner out.
And if you're worried about the researchers involved in the making of this hack, IOActive told me it kept Segway speeds slow for their proof-of-concept, lest it would sensationalise the research or put anyone in actual physical danger in shooting it.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.