This article is more than 1 year old

Beware, skateboarders! Hackers can switch your 'leccy plank into reverse at warp speed

Boosted to wheel out firmware patch

DEF CON 23 Boosted electric skateboard fans will need to get patching after hackers exposed a flaw that can send them into reverse at maximum power.

The hack – demonstrated at DEF CON in Las Vegas this week – was the brainchild of Richo Healey, a security engineer at Stripe, who was using his 'leccy board in Melbourne when he realised he was getting thrown off in heavy radio environments.

The Boosted board has pressure sensors at the front and back that control movement and a handheld controller that uses Bluetooth to communicate with the board – and it's this bit of tech that's causing the problem.

Healey confessed he knew nothing about Bluetooth so consulted a friend, Mike Ryan at eBay, to clue him in. Together they took a spectrum analyser to the skateboard and worked out how the Bluetooth system operated.

To their surprise, the Bluetooth was broadcasting unencrypted to the controller, making it relatively easy to read what was going on. The controller was sending on the handle 0x1a and reading on 0x1c, basically acting as a software serial port.

They then managed to isolate the controls for modifying the speed of the board, its battery level, and how to switch between expert and beginner mode. After running a Python Bluetooth fuzzer at the skateboard they managed to get a limited amount of control, but it turned out to be much harder than it looked.

The original plan was to try to recreate the original problem of too much noise and try jamming the Bluetooth connection, but the protocol is quite smart and hops around within its defined spectrum range to avoid getting jammed.

So the duo had to map out the the access address, find out the channel hop interval and increment, which channel it was operating on and and what order the signal traverses. Once that was worked out they could set up a jammer and throw the skateboard into reverse, launching the rider onto the pavement.

To make the exploit more vulnerable they strapped the export hardware to a drone, although strapping a Raspberry Pi, radio antennas and a battery to the craft proved problematic. But the exploit worked in testing.

Sadly for the audience – although happily for the test pilot, who had a shot of Glenlivet before the attempt [Bottoms up! -Weekend Ed] – the DEF CON demo of the hack didn't work, but the duo had previously demonstrated it at KiwiCon and on video.

The pair contacted Boosted to report the flaw but the company initially refused to believe them, since it was sure that the Bluetooth channel was encrypted. The firm – now convinced by the hack – plans to issue an emergency patch in the next few days.

"We have fixed this issue, and the fix will be included in our upcoming firmware release," Boosted said in a blog post. "This new firmware version, v2.0, adds Bluetooth encryption to prevent this exploit from working, and the security researchers verified this on their last visit to Boosted several weeks ago." ®

More about

TIP US OFF

Send us news


Other stories you might like