Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: An anti theft system allowing attackers to kill remotely the engine in electric scooters made by by INOKIM/MyWay, affected model - model Quick 3

From: pop shark <popshark1 () gmail com>
Date: Thu, 9 Nov 2017 19:25:01 +0200
Hi,  My last mail had a mistake, please don't publish it.
I'm adding a corrected version.
Thank you



Claim: An anti theft system allowing attackers to kill remotely the engine
in electric scooters made by by INOKIM/MyWay, affected model - model Quick
3.

MYWAY/INOKIM created new model - Quick 3, This model has new mobile phone
app.

The app has anti theft system, which allows the owners to remotely
deactivate the engine, in any situation (on move or during parking), this
by using Bluetooth connection to BT module in the *electric scooter*,
It’s a feature.

Malicious attacker can use this Anti-Theft  feature, in order to deploy
easy attack, and shot down the engine of the scooter, even while the driver
is using it in high speed

Potential causalities can be injury or death.

The serial number of the scooter (VIN)  just like cars, is shown on the
scooter with no physical protection, and that basically all you need to
know in order to deploy an easy attack..

The anti thief option in the app, can be trigger any time as long as you
have the VIN (Inokim serial number).

Risk: loosing control, Death, injury, road accidents etc.

Technical info:

Attacker can use at least two options in order to deploy attack:

1.VIN and Bluetooth

The VIN, a serial number of the scooter which supposed to be secret due to
the potential uses, is shown on the shooter like many other cars, so
attacker can take a picture of the scooter frame, or just look at it, and
 then he can deploy attack with temporary username in the app, and
verification by VINs of any scooter out there.

2.Remote control of victim's mobile phones, can allow attacker to control
the phone of the owner/target remotely and then deploy an attack even from
another country.

Example: Mircast, Trojan horse, Pre installed spy software with full
control of the phone, team viewer, VNC.

Status:

Company didn't answer to emails sent by

29.07.2017

07.10.2017

National Cyber Security Authority in Israel, got notified and, no update
has been given regards proactive changes in the company.

Since the feature is made  by design, and supposed to help preventing
people from stealing the scooters, it's logic security problem, and not
typical mistake, they knew about it.



P.S.

1.The way I got into the VIN problem, is by informers who shared with me
the fear of using those scooters, included of live demo they made on their
device, of how the scooter can be shot down remotely, in high speed.

The idea of using Mircast or Trojan horse and remote controlling the owner
app is mine.

Since at least 3 other people knew about the problem, before it came to my
attention, I decided that I must share it now.

Moreover, my research show that connected bikes and connected scooters are
becoming very popular, so the community attention must be higher, into
engines with remote killing switch..

I believe that international ISO, should make new working groups regards
those small vehicles, protecting cars only can’t cover the immediate
situation in the streets, we need to make cyber regulation for the new era
of mini connected electric vehicles.

You are welcome to contact me for any request

Sources:

http://inokim.com/q3_features/

https://youtu.be/_OAEqD0z2Tc?t=1m34s

Video of the ECU and BT controller.

https://www.youtube.com/watch?v=FclHcgE6-34

Android App

https://play.google.com/store/apps/details?id=com.bugull.myway

IOS app

https://itunes.apple.com/pk/app/inokim/id1116583514?mt=8

User Guide Manual

http://inokim.com/wp-content/uploads/2014/12/Quick3-UserGuide_Prewiew.pdf

Amitay Dan (popshark1)

www.amitaydan.com

https://twitter.com/popshark1

https://il.linkedin.com/in/amitay-dan-a63647aa









<#m_7492549913425545987_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>





-- 


[image: --]

Amitay Dan
[image: http://]www.amitaydan.com


<http://about.me/amitay.dan?promo=email_sig>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: