Electric scooters are becoming an essential part of our transportation methods, and their market is estimated to grow by 7.8% annually from 2022 to 2030. In this work, we focus on Xiaomi, the leading producer of electric scooters, performing a security assessment of its e-vehicles ecosystem. First, we analyze the application layer Bluetooth traffic in order to reverse the proprietary Xiaomi’s protocols, and we describe them. Then, we perform a reverse-engineering task using both static and dynamic analysis on the firmware inspecting the behavior of the scooter and how it manages the packets. We show protocol/firmware vulnerabilities and how they can be used to create attacks to be taken over Bluetooth. In particular: (1) we perform an arbitrary read to the internal memory of the scooter, (2) we perform an arbitrary write to the internal memory of the scooter, (3) we show that there is no protection over the link layer, (4) we show that the first two protocols implemented by Xiaomi have no authentication for performing a firmware update, (5) we perform an application layer protocol negotiation in order to open doors to old vulnerabilities. Exploiting these vulnerabilities, we introduce the Total Lock Attack, able to exploit the application layer protocol negotiation and the arbitrary write in order to activate the anti-theft functionality of a scooter simply by sending a Bluetooth packet, even if the target scooter is owned by someone else, and set or change the password asked by MiHome, the application responsible for communicating with the scooter, during scooter connection. If this attack is made when the victim drives, the target scooter will stop suddenly, putting the driver in potentially dangerous situations. Since the Total Lock Attack sets or changes the password requested by MiHome, the victim will no longer be able to unlock the scooter, and he/she will have to send it for assistance. Furthermore, we present the Password Sniffer Attack, able to exploit the application layer protocol negotiation and the arbitrary read vulnerabilities to read the password’s hash from memory and recover it. In order to demonstrate how to exploit these security issues, we present ScooterMaster, an Android application able to exploit the vulnerability of the Xiaomi Electric Scooter Ecosystem and consequently deliver attacks. ScooterMaster can launch a Total Lock Attack simply from a smartphone.

Electric scooters are becoming an essential part of our transportation methods, and their market is estimated to grow by 7.8% annually from 2022 to 2030. In this work, we focus on Xiaomi, the leading producer of electric scooters, performing a security assessment of its e-vehicles ecosystem. First, we analyze the application layer Bluetooth traffic in order to reverse the proprietary Xiaomi’s protocols, and we describe them. Then, we perform a reverse-engineering task using both static and dynamic analysis on the firmware inspecting the behavior of the scooter and how it manages the packets. We show protocol/firmware vulnerabilities and how they can be used to create attacks to be taken over Bluetooth. In particular: (1) we perform an arbitrary read to the internal memory of the scooter, (2) we perform an arbitrary write to the internal memory of the scooter, (3) we show that there is no protection over the link layer, (4) we show that the first two protocols implemented by Xiaomi have no authentication for performing a firmware update, (5) we perform an application layer protocol negotiation in order to open doors to old vulnerabilities. Exploiting these vulnerabilities, we introduce the Total Lock Attack, able to exploit the application layer protocol negotiation and the arbitrary write in order to activate the anti-theft functionality of a scooter simply by sending a Bluetooth packet, even if the target scooter is owned by someone else, and set or change the password asked by MiHome, the application responsible for communicating with the scooter, during scooter connection. If this attack is made when the victim drives, the target scooter will stop suddenly, putting the driver in potentially dangerous situations. Since the Total Lock Attack sets or changes the password requested by MiHome, the victim will no longer be able to unlock the scooter, and he/she will have to send it for assistance. Furthermore, we present the Password Sniffer Attack, able to exploit the application layer protocol negotiation and the arbitrary read vulnerabilities to read the password’s hash from memory and recover it. In order to demonstrate how to exploit these security issues, we present ScooterMaster, an Android application able to exploit the vulnerability of the Xiaomi Electric Scooter Ecosystem and consequently deliver attacks. ScooterMaster can launch a Total Lock Attack simply from a smartphone.

Reversing, Analyzing, and Attacking Xiaomi’s Electric Scooter Ecosystem

CESTARO, RICCARDO
2021/2022

Abstract

Electric scooters are becoming an essential part of our transportation methods, and their market is estimated to grow by 7.8% annually from 2022 to 2030. In this work, we focus on Xiaomi, the leading producer of electric scooters, performing a security assessment of its e-vehicles ecosystem. First, we analyze the application layer Bluetooth traffic in order to reverse the proprietary Xiaomi’s protocols, and we describe them. Then, we perform a reverse-engineering task using both static and dynamic analysis on the firmware inspecting the behavior of the scooter and how it manages the packets. We show protocol/firmware vulnerabilities and how they can be used to create attacks to be taken over Bluetooth. In particular: (1) we perform an arbitrary read to the internal memory of the scooter, (2) we perform an arbitrary write to the internal memory of the scooter, (3) we show that there is no protection over the link layer, (4) we show that the first two protocols implemented by Xiaomi have no authentication for performing a firmware update, (5) we perform an application layer protocol negotiation in order to open doors to old vulnerabilities. Exploiting these vulnerabilities, we introduce the Total Lock Attack, able to exploit the application layer protocol negotiation and the arbitrary write in order to activate the anti-theft functionality of a scooter simply by sending a Bluetooth packet, even if the target scooter is owned by someone else, and set or change the password asked by MiHome, the application responsible for communicating with the scooter, during scooter connection. If this attack is made when the victim drives, the target scooter will stop suddenly, putting the driver in potentially dangerous situations. Since the Total Lock Attack sets or changes the password requested by MiHome, the victim will no longer be able to unlock the scooter, and he/she will have to send it for assistance. Furthermore, we present the Password Sniffer Attack, able to exploit the application layer protocol negotiation and the arbitrary read vulnerabilities to read the password’s hash from memory and recover it. In order to demonstrate how to exploit these security issues, we present ScooterMaster, an Android application able to exploit the vulnerability of the Xiaomi Electric Scooter Ecosystem and consequently deliver attacks. ScooterMaster can launch a Total Lock Attack simply from a smartphone.
2021
Reversing, Analyzing, and Attacking Xiaomi’s Electric Scooter Ecosystem
Electric scooters are becoming an essential part of our transportation methods, and their market is estimated to grow by 7.8% annually from 2022 to 2030. In this work, we focus on Xiaomi, the leading producer of electric scooters, performing a security assessment of its e-vehicles ecosystem. First, we analyze the application layer Bluetooth traffic in order to reverse the proprietary Xiaomi’s protocols, and we describe them. Then, we perform a reverse-engineering task using both static and dynamic analysis on the firmware inspecting the behavior of the scooter and how it manages the packets. We show protocol/firmware vulnerabilities and how they can be used to create attacks to be taken over Bluetooth. In particular: (1) we perform an arbitrary read to the internal memory of the scooter, (2) we perform an arbitrary write to the internal memory of the scooter, (3) we show that there is no protection over the link layer, (4) we show that the first two protocols implemented by Xiaomi have no authentication for performing a firmware update, (5) we perform an application layer protocol negotiation in order to open doors to old vulnerabilities. Exploiting these vulnerabilities, we introduce the Total Lock Attack, able to exploit the application layer protocol negotiation and the arbitrary write in order to activate the anti-theft functionality of a scooter simply by sending a Bluetooth packet, even if the target scooter is owned by someone else, and set or change the password asked by MiHome, the application responsible for communicating with the scooter, during scooter connection. If this attack is made when the victim drives, the target scooter will stop suddenly, putting the driver in potentially dangerous situations. Since the Total Lock Attack sets or changes the password requested by MiHome, the victim will no longer be able to unlock the scooter, and he/she will have to send it for assistance. Furthermore, we present the Password Sniffer Attack, able to exploit the application layer protocol negotiation and the arbitrary read vulnerabilities to read the password’s hash from memory and recover it. In order to demonstrate how to exploit these security issues, we present ScooterMaster, an Android application able to exploit the vulnerability of the Xiaomi Electric Scooter Ecosystem and consequently deliver attacks. ScooterMaster can launch a Total Lock Attack simply from a smartphone.
Xiaomi
Scooter
Reversing
Attacking
Analyzing
File in questo prodotto:
File Dimensione Formato  
RiccardoCestaro_MasterThesis_Cybersecurity_PDFA.pdf

accesso riservato

Dimensione 8.67 MB
Formato Adobe PDF
8.67 MB Adobe PDF

The text of this website © Università degli studi di Padova. Full Text are published under a non-exclusive license. Metadata are under a CC0 License

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.12608/31775