In a day an age where computer hacking, car hacking, gun hacking and artificial organ hacking exist, the possibility for exploit seems endless, and that’s just what security researchers discovered when testing the latest electronic skateboards.
Security researcher Richo Healey began testing his electronic skateboard after he was abruptly stopped while skating towards an intersection in Melbourne, Australia. The board suddenly stopped beneath his feat launching him off the board to the pavement. After hours of troubleshooting he was unable to find any mechanical defects wrong with his board, this is when he began to question if the board was capable of being hacked and was he a victim?
It didn’t take long for Healey to discover the issue. The intersection Healey was riding the board is notorious for being saturated with a swath of radio frequency noise. It was when Healey was controlling the board with a handheld remote via bluetooth did the possibly for a hack chase his mind. Healey quickly concluded that he wasn’t the victim of attack, but was instead flooded with active Bluetooth traffic around him, interfering with the remote connection to the board.
Healey who works on security for the payment company Stripe, teamed up with fellow researcher Mike Ryan, who works on the security team at e-Bay. The two worked to see if the electric skateboard could be hacked, and as a result, developed an attack called FacePlant that gives them complete control over someone’s board.
“[The attack] is basically a synthetic version of the same RF noise [at that intersection in Melbourne],” Healey said speaking with Wired, explaining how they could stop the board and send it flying into reverse, throwing the rider from the board.
The two are set to present their Skateboard hacking research this Saturday at the upcoming DEF CON hacker conference in Las Vegas.
Healey and Ryan tested a large number of manufacturers boards, including Boosted board, Revo, E-Go and Yuneec who all produce electric skateboards for around $1,000-$1,500. During their testing they found at least one critical vulnerability in every board, as it fails to encrypt the communications coming and going to the board.
Boosted board’s work by connecting to a mobile app, where two small motors are controlled by a small handheld remote, which the rider uses to adjust speed using Bluetooth Low Energy wireless technology, and a battery that lasts for roughly six miles each charge. The app also includes a switch that allows the rider to cut the motor instantly.
Due to the fact that the Bluetooth communication is not encrypted nor does it require any form of authentication, an attacker could easily force the board to connect to their laptop. Once this occurs, they would have complete control, with the ability to abruptly stop the skateboard, throw the rider, send a script that forces the board to accelerate then jerk in an alter direction launching the victim off the board or cutting the brakes. Attackers can simply jam the connection between the rider and app, causing the boards brakes to loose control.
Dangers arise when riders start to gain speed on the board, imagine going 20 miles per hour then being abruptly stopped, such would defiantly throw you from the board. Even worse, the FacePlant attack can cause the skateboard’s motors to go into reverse, which in turns launches the board into full speed, destructing whatever is in its path. As FacePlant disables the switch to kill the motor, nothing will stop the board from going til its out of an attackers range, hackers instruct it to stop or its physically turned off.
“This thing can cause some serious damage,” Ryan said, warning of the FacePlant attack.
Timing is key when it comes to executing FacePlant, as it takes a mere ten seconds of jamming to steal the boards Bluetooth connection, then another 10 milliseconds to exploit the board. Once that is done the board will re-connect and be in control of the hacker.
“Once you have the ability to write arbitrary firmware, you can change the top speed, change the minimum speed, make the board refuse to stop and ignore the existence of the [remote] controller,” Ryan explained, stating a simple restart confirms the firmware upgrade.
One possible method exists to possibly thwart the attack, and that’s Bluetooth noise. The jammer is unable to distinguish Bluetooth packets that belong to the skateboard and other Bluetooth devices nearby. While demonstrating the skateboard hack in a tech-heavy neighborhood, the researchers struggled, taking multiple times before landing a successful connection.
And all of this was completed using three transmitters that ran the researchers about $100 each. The two said you could increase the efficiency of the hack by adding additional transmitters. Researchers were able to hijack the board from up to 30 meters away in non-congested areas, where Bluetooth traffic was light. But in the average city, the two were able to hijack it from an average of 10 meters away.
“The point of the research is to remind vendors that they actually do have a burden to users to make safe products,” Healey says. “They should make it easy to report bugs and they should be proactive to fix them. We haven’t seen any safety in the electric vehicle market and there’s a pretty serious lack of manufacturers taking security seriously.”
Researchers said the hacking goes far beyond skateboards and could even affect new Bluetooth-enabled bikes, which could cause for more damage as you are able to step off a skateboard. Researchers are gearing up to begin testing the smart bike shortly, but are continuing research with skateboard hacking.