Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

KIWICON 2038AD Electric Scooters

0
0

Kiwicon is an IT security conference created by the community and for the community. It was my great pleasure to attend this year. The venue is spectacular but the content is even better. I will summarise a few highlights in a series of blog posts.

Disrupting the Electric Scooter Market by Matthew Garrett

A minimal viable product of electric scooters sharing consists of an eScooter, an App, a GPS unit, a cellular device, and a Lock (virtual or not). The cellular device is responsible for a two-way communication between an eScooter and a server. It needs to constantly beam back its location in the form of GPS coordinates. It also receives cellular network push notifications for locking and unlocking.

eScooters basically IoT devices left on the street. They are open to all sorts of abuses including hacking. Matthew has explained the loopholes in different companies. He demonstrated that you can download an APP APK installation file, unzip it, decompile the java assembly code to find out the server endpoint. You can call the server endpoint without a security token! You will receive all sorts of information of an eScooter.


KIWICON 2038AD   Electric Scooters

He was able to track all eScooters of the company. Apparently, the eScooters start to emit their GPS coordinates right off the production line. Supply chains are another huge security risk but it’s a big enough topic to deserve its own blog post(s). So, Matthew was able to see how the eScooters are transported from factories in China to the markets around the globe. Some are by the railway, the others are by the sea. It was fascinating.

The Web API endpoint also allows you to track a scooter by its ID. So, you can see someone travelling from A to B. What is worse is that the often eScooter providers use a mobile phone number to identify the riders. You don’t need to be a genius to figure out this is a huge privacy concern.

In the office environment, the users are on your side. They will report spams or virus if they recognise one. However, in the IoT world, the users may be on the dark side because they want a free ride, cheat or whatever. So, we need to make sure our system is up to the challenge.


Viewing all articles
Browse latest Browse all 12749