Stories
Slash Boxes
Comments

SoylentNews is people

Letting Birds Scooters Fly Free

posted by Fnord666 on Monday October 21 2019, @08:52AM   Printer-friendly
from the flipping-the-bird dept.
Hardware

upstart writes:

Submitted via IRC for FatPhil

mjg59 | Letting Birds scooters fly free

Bird produce a range of rental scooters that are available in multiple markets. With the exception of the Bird Zero[1], all their scooters share a common control board described in FCC filings. The board contains three primary components - a Nordic NRF52 Bluetooth controller, an STM32 SoC and a Quectel EC21-V modem. The Bluetooth and modem are both attached to the STM32 over serial and have no direct control over the rest of the scooter. The STM32 is tied to the scooter's engine control unit and lights, and also receives input from the throttle (and, on some scooters, the brakes).

The pads labeled TP7-TP11 near the underside of the STM32 and the pads labeled TP1-TP5 near the underside of the NRF52 provide Serial Wire Debug, although confusingly the data and clock pins are the opposite way around between the STM and the NRF. Hooking this up via an STLink and using OpenOCD allows dumping of the firmware from both chips, which is where the fun begins. Running strings over the firmware from the STM32 revealed "Set mode to Free Drive Mode". Challenge accepted.

[...] In summary: Secrets that are stored on hardware that attackers can run arbitrary code on probably aren't secret, not having verified boot on safety critical components isn't ideal, devices should have meaningful cryptographic identity when authenticating against a remote endpoint.

Bird responded quickly to my reports, accepted my 90 day disclosure period and didn't threaten to sue me at any point in the process, so good work Bird.

[...] (Note: These issues were disclosed to Bird, and they tell me that fixes have rolled out. I haven't independently verified)

Original Submission

This discussion has been archived. No new comments can be posted.
Letting Birds Scooters Fly Free | Log In/Create an Account | Top | 5 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 2) by jmichaelhudsondotnet on Monday October 21 2019, @09:05AM (2 children)

    by jmichaelhudsondotnet (8122) on Monday October 21 2019, @09:05AM (#909815) Journal

    Good thing we have the rental scooters locked down, can you do the same thing for my router, phone and laptop? And the cloud?

    What!? They are (almost always) blackbox devices that cannot be analyzed in any possible discrete method?

    How can we fix what can't be seen, if that is the only alternative to giving other untrustworthy people and their batshit institutions entrance into my life through the devices they intentionally manufactured to do so without the threat of recourse?

    Auditing ftw though, I would like to see a lot more of this stuff.

    • (Score: 0) by Anonymous Coward on Monday October 21 2019, @09:08AM (1 child)

      by Anonymous Coward on Monday October 21 2019, @09:08AM (#909819)

      How can we fix what can't be seen,

      By software, like anyone else.

      • (Score: 4, Insightful) by driverless on Monday October 21 2019, @11:18AM

        by driverless (4770) on Monday October 21 2019, @11:18AM (#909843)

        How can we fix what can't be seen,

        By software, like anyone else.

        By threatening legal action and arbitrary prosecution under over-broad "anti-hacking" laws, like everything else.

  • (Score: 2) by driverless on Monday October 21 2019, @11:21AM

    by driverless (4770) on Monday October 21 2019, @11:21AM (#909845)

    From the highly entertaining talk at Kawaiicon 2019 [kawaiicon.org]. Video may be online at some point.

  • (Score: 1, Funny) by Anonymous Coward on Monday October 21 2019, @03:30PM

    by Anonymous Coward on Monday October 21 2019, @03:30PM (#909892)

    Isn’t that refreshing

(1)