We present a broad security and privacy assessment of the internals of two popular Xiaomi e-scooters: the M365 (2016) and Mi3 (2023). The internals include a battery management system (BMS), an electric motor controller (DRV), and a Bluetooth Low Energy subsystem (BTS). We also analyze Mi Home, the official Xiaomi e-scooter companion app for Android and iOS.
We uncovered four critical vulnerabilities through extensive static and dynamic reverse engineering, including a remote code execution flaw in the BMS. We exploit the vulnerabilities to conduct four novel attacks we call E-Trojans. The attacks can be executed remotely via a malicious mobile application installed on the victim's phone or in wireless proximity using a Bluetooth Low Energy (BLE) device. The attacks affect the e-scooter safety, security, availability, and privacy. For example, we present a new ransomware attack infecting the BMS and asking for a ransom while permanently damaging the e-scooter battery by silently undervolting its cells.
We present the E-Trojans toolkit, an open-source and modular toolkit for reproducing our attacks and experimenting with Xiaomi e-scooters. The toolkit contains an automated patching module that creates modified BMS firmware with malicious capabilities, such as disabling firmware updates and overriding the battery safety thresholds. The toolkit also includes the Android app and Django/MongoDB backend required by our ransomware.
Empirical tests confirm our attacks' effectiveness and practicality. For instance, our undervoltage ransomware can permanently reduce the autonomy of an M365 battery by 50% in three hours while asking for a ransom. We propose four countermeasures to enhance the security and privacy of the Xiaomi e-scooter ecosystem.
