Ninebot, the company behind Segway hoverboards, has issued new firmware to fix various security flaws that allow an attacker to connect to and take over users' devices.
The flaws were discovered last year by Thomas Kilbride, a security researcher for IOActive, who contacted the company in private and disclosed his findings.
In a report published today, Kilbride details three major issues. The first is that anyone can connect via Bluetooth to another person's hoverboard.
This happens because Segway hoverboards use a default Bluetooth access PIN of 000000, which remains active even after the user changes it.
The second issue comes into play after an attacker connects to a Segway hoverboard. According to Kilbride, an attacker could trick the user's device into downloading a malicious firmware update from a server under the attacker's control. This is possible because Segway hoverboards do not implement any validation and integrity checks on firmware images before applying them.
The third and last vulnerability is unrelated to the first two, and affects the mobile app that Segway owners can install and use to remotely control devices. This app also contains a feature that shows the location of nearby Segway users. Kilbride argues that such information should not be included in the app, as it would allow an attacker to target other potentially vulnerable devices.
The vulnerabilities the researcher discovered are dangerous and could lead to physical injury to Segway owners. For example, because an attacker can install new firmware on devices and can remotely connect via Bluetooth, he can:
Below is a video IOActive released today as a visual guide to Kilbride's discoveries. IOActive researchers will also be presenting their work at the upcoming Black Hat USA 2017 security conference that will be held in Las Vegas at the start of August.
Image credits: Ninebot