E-Trojans: Ransomware, Tracking, DoS, and Data Leaks on Battery-powered Embedded Systems

TL;DR

This paper uncovers critical security vulnerabilities in battery-powered embedded systems of e-scooters, develops novel attacks exploiting these flaws, and proposes countermeasures to enhance their security and privacy.

Contribution

It provides the first comprehensive security assessment of e-scooter internals, introduces E-Trojans, a toolkit for testing and exploiting vulnerabilities, and offers practical defenses.

Findings

Discovered four critical vulnerabilities in e-scooter internals.

Developed four novel remote attack methods exploiting these vulnerabilities.

Successfully demonstrated attacks on Xiaomi M365 and ES3 e-scooters.

Abstract

Battery-powered embedded systems (BESs) have become ubiquitous. Their internals include a battery management system (BMS), a radio interface, and a motor controller. Despite their associated risk, there is little research on BES internal attack surfaces. To fill this gap, we present the first security and privacy assessment of e-scooters internals. We cover Xiaomi M365 (2016) and ES3 (2023) e-scooters and their interactions with Mi Home (their companion app). We extensively RE their internals and uncover four critical design vulnerabilities, including a remote code execution issue with their BMS. Based on our RE findings, we develop E-Trojans, four novel attacks targeting BES internals. The attacks can be conducted remotely or in wireless proximity. They have a widespread real-world impact as they violate the Xiaomi e-scooter ecosystem safety, security, availability, and privacy. For instance, one attack allows the extortion of money from a victim via a BMS undervoltage battery ransomware. A second one enables user tracking by fingerprinting the BES internals. With extra RE efforts, the attacks can be ported to other BES featuring similar vulnerabilities. We implement our attacks and RE findings in E-Trojans, a modular and low-cost toolkit to test BES internals. Our toolkit binary patches BMS firmware by adding malicious capabilities. It also implements our undervoltage battery ransomware in an Android app with a working backend. We successfully test our four attacks on M365 and ES3, empirically confirming their effectiveness and practicality. We propose four practical countermeasures to fix our attacks and improve the Xiaomi e-scooter ecosystem security and privacy.