E-Spoofer: Attacking and Defending Xiaomi Electric Scooter Ecosystem

Xiaomi is the market leader in the electric scooter (e-scooter) segment, with millions of active users. It provides several e-scooter models and Mi Home, a mobile application for Android and iOS to manage and control an e-scooter. Mi Home and the e-scooter interact via Bluetooth Low Energy (BLE). No prior research evaluated the security of this communication channel, as it employs security protocols proprietary to Xiaomi. Exploiting these protocols results in severe security, privacy, and safety issues, e.g., an attacker could steal an e-scooter or prevent the owner from controlling it. In this work, we fill this research gap by performing the first security evaluation on all proprietary wireless protocols deployed to Xiaomi e-scooters from 2016 to 2021. We identify and reverse-engineer four of them, each having ad-hoc Pairing and Session phases. We develop four attacks exploiting these protocols at the architectural level, and we call them Malicious Pairing (MP) and Session Downgrade (SD). Both attacks can be performed from proximity, if the attacker's machine is within BLE range of the target e-scooter, or remotely, via a malicious application co-located with Mi Home. An adversary can utilize MP and SD to steal a password-protected and software-locked e-scooter, or to prevent a victim from accessing it via Mi Home. We isolate six attack root causes, including the lack of authentication while pairing, and the improper enforcement of the e-scooter password. We open-source the E-Spoofer toolkit. Our toolkit automates the MP and SD attacks, and includes a reverseengineering module for future research. We empirically confirm the effectiveness of our attacks by exploiting three e-scooters (i.e., M365, Essential, and Mi 3), embedding five BLE subsystem boards and eight BLE firmware versions that support all four Xiaomi protocols. We design and evaluate two practical countermeasures that address our impactful attacks and their root causes, and we release them as part of E-Spoofer. We responsibly disclosed our findings to Xiaomi.