The e-scooters that risk your safety and your data security

The discussions around the legality of electric smart scooters are ongoing, but that hasn't stopped them from becoming a regular sight on UK roads and pavements, and they are widely available from retailers including eBay and Amazon.

Many of the e-scooters on sale have a smartphone app to track battery usage, journeys and speed, as well as to lock the scooter and switch it on. To see whether these apps were handling user data securely, we conducted an in-depth smart security test with global cyber security expert NCC Group.

We assessed e-scooters from nine brands - Segway, Pure, Xiaomi, Kugoo, Vici, iScooter, Aovo, YouFs and iWheels- and it didn't take long to realise their failings went beyond data security.

On some we were able to increase the speed past 15.5mph (the speed limit for rental e-scooters in the UK) and engage the lock or brake remotely while the scooter was in motion, which could result in serious injury.

Keep reading to see details of the risks we identified, what needs to happen to fix them and whether manufacturers are doing anything about it.

Everything you need to know about e-scooters - price, range and the all important question of legality

Security issue: bypassing the legal speed limit

In cities across the UK you can find banks of scooters available for rent and their max speed is set to 15.5mph.

On three of the scooters we were able to increase this top speed to 18mph and the potential was there for the speeds to be pushed even higher.

This isn't something a malicious hacker would necessarily do, but a thrill-seeking rider can hack the scooter themselves to increase the speed.

There's a reason rental scooters are capped at 15.5mph and one going 18mph creates increased risk for the rider and pedestrians.

What needs to change and are manufacturers doing it?

We reached out to Aovo, iScooter and Segway urging them to improve the firmware verification on their scooters, so that only approved firmware could be installed. We also recommended a clampdown on third-party apps being able to access the firmware of the scooters.

None of the manufacturers responded to our findings, but we will continue to press them to update the scooters.

Security issue: triggering the locks while the scooter is moving

If you've got the right model, then you can walk up to your car and unlock it with the press of a button on the key. Several e-scooters have the same function using a smartphone app.

It's a handy feature, but we discovered that a hacker could connect to the scooter and apply the lock while the scooter was moving. An e-scooter coming to a dead stop at 15.5mph could cause serious injury.

What needs to change and are manufacturers doing it?

There's no reason for the app to be able to lock the scooter while it's moving, and this feature should be deactivated in the apps of all affected scooters.

We found this issue in the Kugoo, Pure and Segway scooters that we tested and so far only Pure has responded to our findings.

It has since updated its app to remove the ability to lock the e-scooter while it's in motion.

Security issue: out of date app security

There's a war going on. Hackers create software that can get around cyber security in apps and app developers respond by increasing the security to stop the hackers getting in. This back and forth will probably never end, but sometimes hackers don't need to try very hard to break into an app and take control.

We found the code in the Kirin (Kugoo), Pure, Vici, iWheels and Powerride (YouFs) apps was out of date making it trivial for hackers to gain access and run their own code on the apps. This means a hacker could change how an app works or stop it working entirely.

What needs to change and are manufacturers doing it?

Apps must be kept up to date, there's simply no excuse for selling devices that use apps with out of date software.

We contacted all the affected manufacturers, but again only Pure got in touch with us to let us know it has fixed the issue. The software libraries used in the app are now up to date, and Pure will continue to check them on a monthly basis to make sure they stay that way.

Security issue: lack of data encryption

If we had a pound for every time we found a device that didn't properly encrypt the data it collects about its user then we'd be rich indeed.

Every single e-scooter app we looked at didn't encrypt well enough. Every one.

We were able to intercept a range of sensitive data as it was being transferred from the app to the servers where it's stored. User information, journeys, and login details were all accessible.

What needs to change and are manufacturers doing it?

Currently the data is transferred using HTTP and it must be updated to HTTPS (the S stands for secure). Only Pure informed us that it was adding up-to-date encryption on its app, we're still waiting to hear from the other 10.

Security issue: exposed SWD port

We can't say which of the scooters had the exposed port because it would be easy to target for hackers.

An SWD (Serial Wire Debug) port is something used by the manufacturer to easily check for bugs and faults while the device is being tested and developed, and it was left on the retail version of this scooter.

A hacker could physically connect to the device and easily bypass any security measures making it dangerous to use, or even stealing it.

What needs to change and are manufacturers doing it?

The port needs to be removed from retail versions of the scooter. There's no reason for it to be there.

We reached out to the manufacturer to alert them to the issue, but we haven't heard back.

Security issue: unencrypted Bluetooth communications

There's that word again. This has less to do with data theft, but having unencrypted Bluetooth means that hackers could access the scooter software and potentially run their own commands, changing how the scooters operate.

This could make the scooters dangerous to use as they no longer function as they were intended.

What needs to change and are manufacturers doing it?

The Pure and Segway scooters both had this issue, but it could be easily fixed by adding a Bluetooth password unique to each device. Any attempts to run malicious code would be impossible without first knowing this password.

Only Pure responded to our request for comment and told us: “We will be updating the registration process for e-scooters and encouraging new customers to set up a PIN within the app.”

Security issue: sideloading control apps

If ever there was a red flag for an unsecure device it's not being able to download the app you use to control it from an official app store, such as the Apple App Store and Google Play Store.

The Powerride scooter doesn't have an official app, instead you need to download it from a website and go through a process called sideloading to put it on your smartphone.

App stores are important. Some slip through the net but generally, an app on an official store is safe to use on your phone. Apps downloaded from the internet and sideloaded could install all kinds of malware and viruses onto your device.

What needs to change and are manufacturers doing it?

Create an official app and put it through the verification process on the Apple and Google app stores. It's as simple as that.

We contacted YouFs with our findings, but it hasn't got back to us.

Lots of work to be done to make e-scooters safer

We encountered a catalogue of errors when testing e-scooters. Some, such as lack of encryption and out of date app security, we expected, but the ability to lock or apply the brakes to a scooter while moving or increase the speeds past the legal limit was a potentially dangerous surprise.

We were impressed by Pure's response as it pledged to fix, or has fixed, every issue we flagged with them, but the lack of responses from other brands is shocking.

We'll continue to press each one for a response and update this story when we know how they intend to fix the serious issues we've raised.