| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 Nov 2017 19:25:01 +0200 From: pop shark <popshark1@...il.com> To: fulldisclosure@...lists.org Subject: Re: [FD] An anti theft system allowing attackers to kill remotely the engine in electric scooters made by by INOKIM/MyWay, affected model - model Quick 3 Hi, My last mail had a mistake, please don't publish it. I'm adding a corrected version. Thank you > > Claim: An anti theft system allowing attackers to kill remotely the engine > in electric scooters made by by INOKIM/MyWay, affected model - model Quick > 3. > > MYWAY/INOKIM created new model - Quick 3, This model has new mobile phone > app. > > The app has anti theft system, which allows the owners to remotely > deactivate the engine, in any situation (on move or during parking), this > by using Bluetooth connection to BT module in the *electric scooter*, > It’s a feature. > > Malicious attacker can use this Anti-Theft feature, in order to deploy > easy attack, and shot down the engine of the scooter, even while the driver > is using it in high speed > > Potential causalities can be injury or death. > > The serial number of the scooter (VIN) just like cars, is shown on the > scooter with no physical protection, and that basically all you need to > know in order to deploy an easy attack.. > > The anti thief option in the app, can be trigger any time as long as you > have the VIN (Inokim serial number). > > Risk: loosing control, Death, injury, road accidents etc. > > Technical info: > > Attacker can use at least two options in order to deploy attack: > > 1.VIN and Bluetooth > > The VIN, a serial number of the scooter which supposed to be secret due to > the potential uses, is shown on the shooter like many other cars, so > attacker can take a picture of the scooter frame, or just look at it, and > then he can deploy attack with temporary username in the app, and > verification by VINs of any scooter out there. > > 2.Remote control of victim's mobile phones, can allow attacker to control > the phone of the owner/target remotely and then deploy an attack even from > another country. > > Example: Mircast, Trojan horse, Pre installed spy software with full > control of the phone, team viewer, VNC. > > Status: > > Company didn't answer to emails sent by > > 29.07.2017 > > 07.10.2017 > > National Cyber Security Authority in Israel, got notified and, no update > has been given regards proactive changes in the company. > > Since the feature is made by design, and supposed to help preventing > people from stealing the scooters, it's logic security problem, and not > typical mistake, they knew about it. > > > > P.S. > > 1.The way I got into the VIN problem, is by informers who shared with me > the fear of using those scooters, included of live demo they made on their > device, of how the scooter can be shot down remotely, in high speed. > > The idea of using Mircast or Trojan horse and remote controlling the owner > app is mine. > > Since at least 3 other people knew about the problem, before it came to my > attention, I decided that I must share it now. > > Moreover, my research show that connected bikes and connected scooters are > becoming very popular, so the community attention must be higher, into > engines with remote killing switch.. > > I believe that international ISO, should make new working groups regards > those small vehicles, protecting cars only can’t cover the immediate > situation in the streets, we need to make cyber regulation for the new era > of mini connected electric vehicles. > > You are welcome to contact me for any request > > Sources: > > http://inokim.com/q3_features/ > > https://youtu.be/_OAEqD0z2Tc?t=1m34s > > Video of the ECU and BT controller. > > https://www.youtube.com/watch?v=FclHcgE6-34 > > Android App > > https://play.google.com/store/apps/details?id=com.bugull.myway > > IOS app > > https://itunes.apple.com/pk/app/inokim/id1116583514?mt=8 > > User Guide Manual > > http://inokim.com/wp-content/uploads/2014/12/Quick3-UserGuide_Prewiew.pdf > > Amitay Dan (popshark1) > > www.amitaydan.com > > https://twitter.com/popshark1 > > https://il.linkedin.com/in/amitay-dan-a63647aa > > > > > > > > > > <#m_7492549913425545987_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > -- [image: --] Amitay Dan [image: http://]www.amitaydan.com <http://about.me/amitay.dan?promo=email_sig> _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists