Much maligned by pedestrians and local governments, e-scooters have rapidly infiltrated dozens of major cities around the world, fuelled by financial backing from Silicon Valley. The electrically powered mobility devices are hailed by some as a green solution to inner-city travel, but their proliferation in cities such as San Francisco has resulted in a backlash that saw an outright ban followed by strict licensing for a limited number of providers.
The backlash has predominantly focused on issues such as the danger e-scooters can pose to pedestrians, as well as users leaving the devices strewn over pavements and public areas once their journeys are complete or the scooters have run out of power. The research from UTSA initially examined those safety problems, but also discovered that there were significant data and security issues associated with the burgeoning sector. E-scooters are currently banned on the UK's roads, paths and cycle lanes, but can be used on private land.
"We were already investigating the risks posed by these micromobility vehicles to pedestrians' safety,” said research lead Murtuza Jadliwala, an assistant professor in UTSA’s Department of Computer Science. “During that study, we also realised that besides significant safety concerns, this new transportation paradigm brings forth new cybersecurity and privacy risks as well.
"We've identified and outlined a variety of weak points or attack surfaces in the current ride-sharing, or micromobility, ecosystem that could potentially be exploited by malicious adversaries right from inferring the riders' private data to causing economic losses to service providers and remotely controlling the vehicles' behaviour and operation."
According to the research, some e-scooter models communicate with the user’s smartphone via a Bluetooth Low Energy channel which can be easily hacked using readily available hardware like Ubertooth and software tools such as WireShark. Hackers could potentially eavesdrop on communications between e-scooters and phones, tapping into data including a user’s preferred route, personal interests, and home and work locations. False GPS directions could also be delivered to smartphones in order to lead riders to locations of the hackers’ choosing.
"Cities are experiencing explosive population growth,” said Jadliwala. “Micromobility promises to transport people in a more sustainable, faster and economical fashion. To ensure that this industry stays viable, companies should think not only about rider and pedestrian safety but also how to protect consumers and themselves from significant cybersecurity and privacy threats enabled by this new technology."