Segway hoverboards

Ninebot, the company behind Segway hoverboards, has issued new firmware to fix various security flaws that allow an attacker to connect to and take over users' devices.

The flaws were discovered last year by Thomas Kilbride, a security researcher for IOActive, who contacted the company in private and disclosed his findings.

Segway hoverboards have two access PINs

In a report published today, Kilbride details three major issues. The first is that anyone can connect via Bluetooth to another person's hoverboard.

This happens because Segway hoverboards use a default Bluetooth access PIN of 000000, which remains active even after the user changes it.

The second issue comes into play after an attacker connects to a Segway hoverboard. According to Kilbride, an attacker could trick the user's device into downloading a malicious firmware update from a server under the attacker's control. This is possible because Segway hoverboards do not implement any validation and integrity checks on firmware images before applying them.

The third and last vulnerability is unrelated to the first two, and affects the mobile app that Segway owners can install and use to remotely control devices. This app also contains a feature that shows the location of nearby Segway users. Kilbride argues that such information should not be included in the app, as it would allow an attacker to target other potentially vulnerable devices.

Vulnerabilities could lead to theft, physical harm

The vulnerabilities the researcher discovered are dangerous and could lead to physical injury to Segway owners. For example, because an attacker can install new firmware on devices and can remotely connect via Bluetooth, he can:

- order hoverboards to start or stop when users aren't prepared for such an action
- override safety and security measures leading to overheating and other scenarios
- drive Segways away from their owners and facilitate theft
- change hoverboard PIN and prevent owners from accessing their devices

Below is a video IOActive released today as a visual guide to Kilbride's discoveries. IOActive researchers will also be presenting their work at the upcoming Black Hat USA 2017 security conference that will be held in Las Vegas at the start of August.

Image credits: Ninebot

Related Articles:

CISA urges software devs to weed out SQL injection vulnerabilities

GitHub’s new AI-powered tool auto-fixes vulnerabilities in your code

Ivanti fixes critical Standalone Sentry bug reported by NATO

Here's why Twitter sends you to a different site than what you clicked

US Defense Dept received 50,000 vulnerability reports since 2016