Leaving aside the convenience they offer, they come with a number of cyber and privacy risks, according to a study conducted by the University of Texas at San Antonio (UTSA).
This assessment – about which UTSA said that is “the first assessment of the security and privacy risks posed by electronic scooters, together with the services and software applications dedicated to them” – presents different attack scenarios that people who decide to use this means of transport may face and suggests various risk management measures.
Amer Owaida, Security Writer al ESET, explain on the blog how the attacks occur and offers some solutions.
Many electronic scooters rely on a mix between the network Bluetooth Low Energy (BLE) and the internet connection of the passenger’s smartphone to operate, but also to send data to the service provider. This opens the door to potential attacks. For example, malicious people could access the transmitted data to carry out further attacks Man-in-the-Middle (MitM) or replay. As a result, in some cases, hackers could remotely send commands to take control of the scooter and injure the passenger. Such a risk would be presented a Xiaomi scooter last year.
A scooter’s battery, engine, brakes, headlights and controller chip are among the key components that can be targeted during a physical attack. Attackers can then change key components or install “malicious modules”, allowing them to control the scooter remotely or secretly collect private information. By remotely handling the brakes and accelerator, the passenger or others may be intentionally injured.
“Micro-mobility” applications usually track the location of scooters, which means that falsifying the location is another thing we might worry about. Malicious people could use secluded locations to lure victims and harm them in various ways.
Electronic scooter providers require a wide range of information from travelers who turn to their services. They usually include some form of identification, along with billing, contact and demographic information. Providers automatically collect additional data, including GPS location and smartphone-specific information. Attackers with access to such data can create comprehensive images of the traveler’s habits, the places they frequent, and the routes they may use.
Most risks can be mitigated by implementing key cybersecurity practices. Employees who load and maintain scooters may check mechanical or electrical components to ensure that no one has handled the scooters. With regard to privacy risks, it would be advisable for providers to follow a privacy-by-design, making various data sets inaccessible to unauthorized persons. In addition, monitoring data traffic would help your service provider respond to real-time threats.