[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CABBUbnFCB9hstV35hxsti89rOtNJNZQy1Q8pxCBfxJ0gmHr6JA@mail.gmail.com>
Date: Thu, 9 Nov 2017 19:25:01 +0200
From: pop shark <popshark1@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] An anti theft system allowing attackers to kill remotely
the engine in electric scooters made by by INOKIM/MyWay,
affected model - model Quick 3
Hi, My last mail had a mistake, please don't publish it.
I'm adding a corrected version.
Thank you
>
> Claim: An anti theft system allowing attackers to kill remotely the engine
> in electric scooters made by by INOKIM/MyWay, affected model - model Quick
> 3.
>
> MYWAY/INOKIM created new model - Quick 3, This model has new mobile phone
> app.
>
> The app has anti theft system, which allows the owners to remotely
> deactivate the engine, in any situation (on move or during parking), this
> by using Bluetooth connection to BT module in the *electric scooter*,
> It’s a feature.
>
> Malicious attacker can use this Anti-Theft feature, in order to deploy
> easy attack, and shot down the engine of the scooter, even while the driver
> is using it in high speed
>
> Potential causalities can be injury or death.
>
> The serial number of the scooter (VIN) just like cars, is shown on the
> scooter with no physical protection, and that basically all you need to
> know in order to deploy an easy attack..
>
> The anti thief option in the app, can be trigger any time as long as you
> have the VIN (Inokim serial number).
>
> Risk: loosing control, Death, injury, road accidents etc.
>
> Technical info:
>
> Attacker can use at least two options in order to deploy attack:
>
> 1.VIN and Bluetooth
>
> The VIN, a serial number of the scooter which supposed to be secret due to
> the potential uses, is shown on the shooter like many other cars, so
> attacker can take a picture of the scooter frame, or just look at it, and
> then he can deploy attack with temporary username in the app, and
> verification by VINs of any scooter out there.
>
> 2.Remote control of victim's mobile phones, can allow attacker to control
> the phone of the owner/target remotely and then deploy an attack even from
> another country.
>
> Example: Mircast, Trojan horse, Pre installed spy software with full
> control of the phone, team viewer, VNC.
>
> Status:
>
> Company didn't answer to emails sent by
>
> 29.07.2017
>
> 07.10.2017
>
> National Cyber Security Authority in Israel, got notified and, no update
> has been given regards proactive changes in the company.
>
> Since the feature is made by design, and supposed to help preventing
> people from stealing the scooters, it's logic security problem, and not
> typical mistake, they knew about it.
>
>
>
> P.S.
>
> 1.The way I got into the VIN problem, is by informers who shared with me
> the fear of using those scooters, included of live demo they made on their
> device, of how the scooter can be shot down remotely, in high speed.
>
> The idea of using Mircast or Trojan horse and remote controlling the owner
> app is mine.
>
> Since at least 3 other people knew about the problem, before it came to my
> attention, I decided that I must share it now.
>
> Moreover, my research show that connected bikes and connected scooters are
> becoming very popular, so the community attention must be higher, into
> engines with remote killing switch..
>
> I believe that international ISO, should make new working groups regards
> those small vehicles, protecting cars only can’t cover the immediate
> situation in the streets, we need to make cyber regulation for the new era
> of mini connected electric vehicles.
>
> You are welcome to contact me for any request
>
> Sources:
>
> http://inokim.com/q3_features/
>
> https://youtu.be/_OAEqD0z2Tc?t=1m34s
>
> Video of the ECU and BT controller.
>
> https://www.youtube.com/watch?v=FclHcgE6-34
>
> Android App
>
> https://play.google.com/store/apps/details?id=com.bugull.myway
>
> IOS app
>
> https://itunes.apple.com/pk/app/inokim/id1116583514?mt=8
>
> User Guide Manual
>
> http://inokim.com/wp-content/uploads/2014/12/Quick3-UserGuide_Prewiew.pdf
>
> Amitay Dan (popshark1)
>
> www.amitaydan.com
>
> https://twitter.com/popshark1
>
> https://il.linkedin.com/in/amitay-dan-a63647aa
>
>
>
>
>
>
>
>
>
> <#m_7492549913425545987_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
--
[image: --]
Amitay Dan
[image: http://]www.amitaydan.com
<http://about.me/amitay.dan?promo=email_sig>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists