The apps of the rental companies are very informative. With the transferred data, an e-scooter can even be switched off while driving.
Manufacturers of electric scooters don’t take IT security too seriously. This was shown in a lecture at the BSI’s IT security congress on Wednesday. By accessing the company’s APIs, movement profiles can be created or even keys can be read out, which can be used to switch off passing e-scooters.
Bugged app communication
Jan-Niclas Hilgert, research assistant at Fraunhofer FKIE, demonstrated that the APIs of some providers can be read out without major problems. To get access to the data from the provider Lime, the researchers used a jailbroken iPhone. This enabled them to constantly read the information that the app received. By reading out or generating a new user token, the iPhone was no longer necessary, so that the forensic experts could call up data directly via the API. These data turned out to be amazingly detailed. This made it possible to read user data which, with PayPal, also contained the user’s email address as a payment method.
There was plenty of information about the e-scooters: The apps of all rental companies contain an overview of where vehicles are available for rent nearby. After the IT forensic scientists had analyzed this data once, they found out that, for example, the servers of the Tier provider sent significantly more information than was displayed in the app. In addition to the location and license number, status information such as the battery charge level and the internal number of the electric scooter was also available.
All information about all e-scooters
Further experiments quickly showed: The Tier API not only lists scooters in the area, it also allows direct queries about specific vehicles. The IT researchers automatically queried all the data on all e-scooters and thus got an overview of the entire fleet. While the Tier servers reported almost 24,000 active loan devices in February 2020, there were over 56,000 in December. The API also provided information about stolen, damaged or taken out of service e-scooters without any problem.
Since the position data of the scooters is continuously transmitted, it can in principle also be used to track individual users. All that was necessary was the license plate of the electric scooter. With a duration query over several hours, the researchers were even able to generate a movement overview of all scooters.
Switch off via Bluetooth
The provider Spin offers a special feature, whose e-scooters not only contain GPS and mobile communications, but also a Bluetooth connection. Hilgert and colleagues followed up the locking and unlocking process using reverse engineering. The only thing missing was the associated Bluetooth key, which is exchanged every 24 hours. But here too, the provider’s API proved to be chatty. A query provided the researchers with the key free of charge. Result: In a practical test, they were able to switch off a passing electric scooter via Bluetooth.
“If that happens in flowing traffic, it might not be the best thing,” summarized Hilgert. The researchers want to publish the results of the API analyzes on Github in the coming weeks.