Xiaomi M365 Remote Code Execution Vulnerability

Summary

The Xiaomi M365 scooter 2019-02-12 before 1.5.1 allows spoofing of “suddenly accelerate” commands. This occurs because Bluetooth Low Energy commands have no server-side authentication check. Other affected commands include suddenly braking, locking, and unlocking.

Credit:

The information has been provided by Rani Idan
The original article can be found at: https://blog.zimperium.com/dont-give-me-a-brake-xiaomi-scooter-hack-enables-dangerous-accelerations-and-stops-for-unsuspecting-riders/


Details

Xiaomi M365 is prone to a remote code-execution vulnerability.This allows a remote attacker to exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts may result in a denial-of-service condition. 

Vulnerable Systems:

  • Xiaomi M365 before 1.5.1

CVE Information:

CVE-2019-12500

Disclosure Timeline:
Publish Date:05/31/2019