Connected devices are everywhere and in some cases they pose not only a cyber risk, but a physical risk too.
Major security vulnerabilities have been identified in the Segway Ninebot MiniPRO as tests allowed a hacker to take control.
Once a hacker has control of the Ninebot MiniPRO they are able to disable the motor and bring the device to a sudden stop while a rider is in motion, while also being able to change the direction and pace of travel.
The successful attack on the Segway during testing involved a firmware update of the scooter’s control system, which meant the hacker could remove rider detection without requiring authentication.
Behind the findings is the cybersecurity firm IOActive, experts in penetration testing and research. IOActive found that a hacker could simply ignore safety systems and move ahead to control the device using a smart phone, for example.
This instance is another example of an effective attack on an internet of things device, further evidencing the breadth of the spectrum of IoT devices that can be commandeered by a cyber adversary.
Thomas Kilbride, IOActive Embedded Devices Security Consultant, said: “FTC regulations do require scooters to meet certain mechanical and electrical specifications to help avoid battery fires and various mechanical failures… However, there are currently no regulations centered on firmware integrity and validation, despite being integral to the safety of the system. As my research indicates, this lack of regulation could lead to a number of dangerous situations.”
The fact that these Segway devices are prepared with regulation pertaining to physical risks such as fire, but not for a potentially dangerous cyber attack makes clear that understanding of the risks posed by unsecure IoT is insufficient.
“Using reverse engineering and protocol analysis, I was able to discover a number of worrisome security threats… For example, I determined that riders in the area were indexed using their smart phone’s GPS. Therefore, each rider’s location was publicly available, so the hoverboards could be found, tracked, hijacked, and controlled without the rider’s knowledge,” said Kilbride.