Researchers found a way to hack those ubiquitous electric scooters

A researcher with San Francisco-based Zimperium discovered a way to manipulate a Xiaomi M365 scooters via the device's Bluetooth connection.

You can add another bullet point to the long list of things that drive people nuts about the electric scooter craze in America: the scooters can be hacked.

A researcher with Dallas-based Zimperium discovered a way to manipulate a Xiaomi M365 scooter through a Bluetooth connection. Users can access their scooter via an app that connects to the scooter, as long as users authenticate with a password. However Zimperium researcher Rani Idan determined the password fails to completely protect users.

“During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password,” Idan wrote in a blog post Tuesday. “The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state.”

From there, Idan wrote an app for his mobile device that allowed him to mess with a Xiaomi scooter that was in use.


Idan writes that due to the flaw, a person could lock any M365 scooter, install malicious firmware, then cause it to fully accelerate or come to a screeching halt.

Scooter-sharing companies like Bird and Spin have used the Xiaomi in the past. However, CyberScoop has learned that Bird updated the firmware on their M365 models after discovering the issue more than a year ago.

A Spin spokesperson told CyberScoop it stopped purchasing the Xiaomi model last year, and are phasing out any remaining Xiaomi scooters it had previously deployed.  The majority of Spin’s scooters are made by Segway.

Xiaomi told Zimperium researchers that it was aware of the issue, blaming on “third-party products.”


Correction, 2/14/19: The location of Zimperium’s headquarters has been corrected in this article. 

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts