As we are approaching the much-awaited hacking conferences DefCon and Black Hat, security researchers and engineers are revealing their studies and exploits to spread awareness about the vulnerabilities and weaknesses of all those things that have either a wireless connection or the Internet connectivity.
This time, two security researchers, Richo Healey and Mike Ryan, got hold of few Bluetooth controlled electronic skateboards in an attempt to search for possible vulnerabilities in the onboard system.
Finding the Electric Skateboard Vulnerability
An itch to find a vulnerability in the electric skateboards arises when one of the researchers was riding his skateboard toward an intersection and the skateboard stopped abruptly, tossing him onto the street. Because he is a security engineer, he believed it happened due to the possible interference with his skateboard from other Bluetooth enabled devices at the intersection.
Rico Healey is a Security Engineer at the payment solution firm Stripe, and Mike Ryan is a member of Red Team at eBay. Both of these researches acquired three Bluetooth enabled electric skateboards to begin their research and hacking experiment.
While explaining the core reason behind their research, Rico Healey said:
“It’s easy to point to this and say, oh it’s just a skateboard, but for people who are buying these boards and commuting on them every day … there is risk obviously associated with that…. We explicitly did this research in order to make the devices safer.”
They spent quite a time on research that resulted in the discovery of an exploit which provided them complete control over the skateboard’s digital onboard system, they codenamed this exploit as “FacePlant.”
The Three Vulnerable Electric Skateboards
The three skateboards used by researchers include E-Go electric skateboard manufactured by the China-based company Yuneec; Boosted Dual Plus skateboard manufactured by the US-based company Boosted and 1300S Sports skateboard manufactured by the Australian-based establishment Revo.
The vulnerability lies within the unencrypted communication link between the skateboard and the remote control. The research found out that there is at least one serious vulnerability in each of the skateboard’s system, but the method of attack differs between each skateboard.
At this time, researchers have successfully managed to prepare a working hack for the Booster Dual Plus skateboard. While the second hack that is targeted towards E-Go skateboards is under development and is codenamed “Road Rash.”
How the Boosted Skateboard FacePlant Hack Works
The skateboards manufactured by Boosted uses an onboard app that controls two 1 kilo-watt electronic motors which can be controlled using a Bluetooth-enabled handheld remote. The motors continue to operate when a button is pressed and stops when a button is released.
Since the Bluetooth communication link is unencrypted, any hacker sitting proximate the skateboard can easily hack into the skateboard system, forcing the system to connect to his laptop.
For the hacker’s Bluetooth connection to establish connectivity with the skateboard, it takes a mere two to ten seconds. When the connection is formed, the hacker would have only 10 milliseconds to take control of the skateboard and send a malware, because, after that, the remote control and skateboard automatically re-establishes the connection.
“The remote becomes essentially a useless brick that can’t re-engage with the board until the attacker disconnects.”
To make this process faster and reliable, researchers suggested that hacker could make use of a script that automates the exploiting process.
But once the Bluetooth connection is established, the hacker would be able to stop the skateboard and can even send a malicious exploit, causing the motors to switch its revolving direction, or disengage the braking system.
Here’s how Kim Zetter of Wired explains the condition faced by the rider once the skateboard is hacked:
A rider who is paying attention would notice the board slowing slightly as it goes into neutral—the wheels spinning in place briefly—before the reverse command kicks in and pitches the driver forward while the board takes off in the opposite direction. But most riders will be caught off guard. “Usually you don’t face plant, because the board slows down enough. But if you’re not expecting it, and you’re going fast enough, it could go pretty bad,” says Ryan.
Both researchers have planned to demonstrate several security vulnerabilities that helped them in Hacking Electric Skateboards: Vehicle Research for Mortals, the event is scheduled for Saturday at the Def Con hacker conference in Las Vegas.