Hacking a Segway

The Segway has a mobile app. It is hackable:

While analyzing the communication between the app and the Segway scooter itself, Kilbride noticed that a user PIN number meant to protect the Bluetooth communication from unauthorized access wasn’t being used for authentication at every level of the system. As a result, Kilbride could send arbitrary commands to the scooter without needing the user-chosen PIN.

He also discovered that the hoverboard’s software update platform didn’t have a mechanism in place to confirm that firmware updates sent to the device were really from Segway (often called an “integrity check”). This meant that in addition to sending the scooter commands, an attacker could easily trick the device into installing a malicious firmware update that could override its fundamental programming. In this way an attacker would be able to nullify built-in safety mechanisms that prevented the app from remote-controlling or shutting off the vehicle while someone was on it.

“The app allows you to do things like change LED colors, it allows you to remote-control the hoverboard and also apply firmware updates, which is the interesting part,” Kilbride says. “Under the right circumstances, if somebody applies a malicious firmware update, any attacker who knows the right assembly language could then leverage this to basically do as they wish with the hoverboard.”

Tags: , , , ,

Posted on July 21, 2017 at 6:23 AM22 Comments

Comments

Ph July 21, 2017 6:58 AM

Well, at least with bluetooth it can’t be used easily in the IoT DDOS phenomena.
It will be much fun if they get WiFi implementations.

Clive Robinson July 21, 2017 7:20 AM

@ Ph,

Well, at least with bluetooth it can’t be used easily in the IoT DDOS phenomena.

Err did you read the paper I linked to over on this last weeks squid page?

The attack methods they used on the Phillips IoT lightbulbs was via BlueTooth and sound basically the same. The intent with the lightbulbs was to cause a chain reaction with a worm. Which is not to disimilar to a DDoS…

Tommaso July 21, 2017 7:32 AM

Please, PLEASE, stop calling this a “hoverboard”. The little Michael J Fox inside me is screaming with inner rage.

Clive Robinson July 21, 2017 7:32 AM

@ Bruce,

You probably don’t know/rememder it’s just a few days to the 20th Anniversary of the death of Princess Diana, in a tunnel in France.

There are a group of individuals that continuously express the belief that MI6 or similar in “The British Establishment” deliberatly caused the crash by taking over the car she was being driven in to make it crash.

So watch out for kooky / conspiracy comments on this thread.

Clive Robinson July 21, 2017 7:41 AM

I suspect the Wired Journalist either lacks immagination or has led a sheltered life.

The last paragraph says,

    In terms of existential dread, you can find some reprieve in knowing that most hackers are seeking profit, and there isn’t a lot of money to be made in maiming Segway riders

Realy… I can think of one use the futures market to short sell Segway / ninebot shares etc. That’s reason aplenty to cause their products to misbehave.

Rachel July 21, 2017 11:06 AM

@ Clive

You probably don’t know/rememder it’s just a few days to the 20th Anniversary of the death of Princess Diana, in a tunnel in France.

There are a group of individuals that continuously express the belief that MI6 or similar in “The British Establishment” deliberatly caused the crash by taking over the car she was being driven in to make it crash.

So watch out for kooky / conspiracy comments on this thread.
*
Clive I was feeling extremely disappointed. Until I realised, by ‘group of individuals’ you clearly meant ‘ everyone whom speaks English’. At which point I felt relieved.
You have spoken of Peter Wright and Spycatcher book. I can’t recall the chaps name but I did read a chaps memoir of his M16 career and how he was kicked out for not fitting in with their social code, they offered him a job in the City so it wasn’t dishonourable. He was later smeared as someone who had blown the names of M16 officers abroad – remember when that was front page news for a while many yeasr ago. Well, he says all of those names were unclassified and so even if it was him, no harm was done. He says he was smeared because he was due to give evidence to the commission about M16 involvement in Dianas death because the methods used matched ones he had been trained in, in this instance a motorcycle rider riding ahead of a vehicle and shining a light to dazzle the driver behind. I don’t know the status now but he spent years and years illegally harrassed by them, not being allowed safe haven in any country or allowed to clear his name.
All this aside the whole matter has been documented so extensively in multiple arenas I can’t see how anyone could possibly think otherwise about that tragic incident. Seriously surprised you happen to.
Guess I’m one of your kooky commenters? Out of respect for Mr Schneier I will be careful to leave the subject at that although I’m no doubt keen for your feedback.
No matter, you are still my hero!

Wael July 21, 2017 11:17 AM

@Clive Robinson, @Rachel,

So watch out for kooky / conspiracy comments on this thread.

Label it as you wish. Princess Diana was murdered! Clear as daylight. Open and shut case.

Jimbo July 21, 2017 11:34 AM

Little reason to hack a Segway. Back in 2010 Jimi Heselden, owner of the Segway company was killed by his in a single vehicle accident. Use your favorite search engine and search for: Segway owner killed by Segway

Rachel July 21, 2017 1:53 PM

@ Tim!

Humble pie time, like a drunk driver at A.A.
You just blew a hole in my theory. But Fiat’s worth, I did try.
with eyes like that, did you ever happen to work as a rifleman for hire?

[Wael, your turn]

Thoth July 22, 2017 12:09 AM

@all
To touch on Bluetooth “Secure Channel”, it is an AES-128 bit symmetric crypto and thus the need of establishment code (a.k.a 6 digit PIN number).

For a device to pair, one device will generate the PIN and display it so that the displayed PIN can be manually copied to the other device.

For a Segway to pair over Secure Channel, they have to have a display screen to display securely the Bluetooth pairing PIN and this creates a more complex and possibly a more hard to integrate design as it might not flow well with the looks of a Segway device and also to do the troublesome security management.

As usual, this is the typical security-vs-ease topic we usually touch on as well and somehow ease of use of integrated systems always ends up winning. Even when a standard is created to give a minimum bounds for security requirements,designers and devs and decision makers will always never fail to choose to easier and less costly option instead of the more secure option.

Another layer to consider is the management of the AES-128 bit key in the devices and also the secure use of the keys (i.e. authenticate to use the keymat). There is a ton of overhead which most designers, devs and decision makers are unwillingly to deal with. There are packages sold that bundles the entire security properly so that all those management and utilization of the security features can be done seamlessly but these security service packages do not come cheap either. One example is G & D’s Mobile Connect package which allows the embedding of a Secure Element chip (SIM card) as the tamper resistant Secure Execution Environment to possibly be used to hold the keys and execute securely but the additional cost and addon is typically not a welcomed sight by most designers, devs and decision makers.

Where are we now ? We are at a point where there are secure options but people are unwilling to use them.

Ph July 22, 2017 2:59 AM

@Clive,

That is very much stretching the definition of a Distributed Denial of Service.
It’s just breaking things locally.
I have not seen any lamps that can take down websites (yet)

Give the board WiFi, upload new firmware in the flavor of a pineapple, and it can theoretically DDoS any internet address through open/easy hacked WiFi when it is in range.
And because it is moving, it can (ab)use multiple networks, most urban area’s have at least 5-20 AP’s reachable on any spot.
That as well as infect other boards laterally.

David Rudling July 22, 2017 7:48 AM

@Clive Robinson

You probably don’t know/remember it’s just a few days to the 20th Anniversary of the death of Princess Diana, in a tunnel in France.

There are a group of individuals that continuously express the belief that MI6 or similar in “The British Establishment” deliberately caused the crash by taking over the car she was being driven in to make it crash.

So watch out for kooky / conspiracy comments on this thread.
*

Clive,
I am with you on this one, except that I probably wold not have been as polite as you in describing them as a “group of individuals”. A quick search on Google reveals that the Flat Earth believers are still apparently going strong so the existence of conspiracy theorists about the death of a princess should come as no surprise.

Of course it is true that all governments have agencies tasked to undertake actions where complete deniability is a mandatory requirement but assassinations appear not to have taken place even in cases where they could have served UK interests far more positively than just avoiding some temporary royal embarrassment, so the probability must be assessed as low that such a highly public high risk/low return operation would be approved.

Anura July 22, 2017 8:16 AM

@David Rudling

If the Earth is round, how come every photograph from space shows a flat disk?

albert July 22, 2017 10:50 AM

@Anura,

The pictures only show the -visible- portion of the earth. The actual diameter of the disk is many times larger, but it is virtual, and invisible. You can’t fly or sail off the edge since there is no edge. Objects approaching the outer periphery instantly appear on ‘the other side’, due to quantum effects (See Bose-Einstein Condensate). Similarly, satellites observe only the virtual image, not the ‘real’ one.

I hope this helps.

. .. . .. — ….

CallMeLateForSupper July 22, 2017 12:17 PM

@Anura
“If the Earth is round, how come every photograph from space shows a flat disk?”

“A lot of people are saying [it is a convex disk]. I don’t know.”

tyr July 22, 2017 11:47 PM

@Rachael

The M16 in WW2 was a quad 50 caliber
mounted on an M3 halftrack. You can
see the mount on a boat in the movie
Waterworld.

The US military shuffles the M designators
around at random to confuse the Russians.
Or the designated enemy du jour.

As I understood the Di episode the chauffer
was drunk as a lord and trying to escape
papparazzi. If you are a public figure
the narratives around your death are a
great entertainment for speculators who
should put more effort into their own tale
of woe. The spooks love the appearance of
omnipotence given by tabloid tony pandy.

Hugh Buntu July 24, 2017 12:04 PM

It got hacked. This morning at exactly 8AM ET I started receiving at least one notification per second with messages in Mandarin. Sorry, no read Mandarin.

PS. Is this the first comment on this thread that actually addresses the topic?

We Are Hugh

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.