Old news, summarized nicely: https://melmagazine.com/en-us/story/inside-the-lawless-new-world-of-electric-scooter-hacking
Most of these hacks have nothing to do with firmware at all – they are basic physical access analog hacks… or in some variants, simple theft and vandalism.
The 3 primary components of these (and any e-bike, or electric car!) are:
- Battery – with it’s own resale / reuse value
- Motor – with it’s own resale / reuse value
- Computer – with it’s own resale / reuse value, AND virtually impossible to prevent it from being completely hacked “in place.”
Most of the current activity on the streets of San Francisco seems to be either simply tearing apart the scooter to reuse/resell the current parts, or on basic hotwiring (routing entirely around the computer) to make the scooter function as – just an electric scooter.
Some response from the scooter providers has been firmware updates to disable some things, such as suspending billing by picking up a scooter and relocating it.
Much more interesting, and relevant to firmware security will be to watch the cat and mouse game play out with regards to the firmware on the computer.
Manufacturers of highly computerized, shared use vehicles beware – your threat model is that of a “Hands-on for days” (SUPER Evil Maid) attack, scaling up to unlimited physical access. Much closer to trying to protect an entire manufacturing supply chain than it is to making sure TSA isn’t getting too handsy with your laptop. Worse, if you consider that Attackers can:
- Move your vehicle (even if you were to lock the axles!) to a full laboratory setting
- Rewrite any storage, including pulling and reflashing chips
- Create scalable, automated, fast, reusable attacks, developed in a laboratory