E-Trojans: Ransomware, tracking, DoS, and data leaks on battery-powered embedded systems

Battery-powered embedded systems (BESs), such as laptops, smartphones, e-scooters, and drones, have become ubiquitous. Their internals (hardware and firmware) include a battery management system (BMS), a radio interface, and a motor controller. Despite their associated risk, there is little research on BES internal attack surfaces. For example, what can be accomplished by a (remote) attacker with access to a BMS needs to be clarified. This lack of understanding is primarily due to the challenges of analyzing internal attack surfaces, as these components are vendor-specific, proprietary, and undocumented. To fill this gap, we present the first security and privacy assessment of e-scooters internals. We cover Xiaomi M365 (2016) and ES3 (2023) e-scooters and their interactions with Mi Home (their companion app). We extensively reverseengineer (RE) their internals and uncover four critical design vulnerabilities, including a remote code execution issue with their BMS. Based on our RE findings, we develop E-Trojans, four novel attacks targeting BES internals. The attacks can be conducted remotely (via a malicious app) or in wireless proximity (using a BLE device). They have a critical and widespread real-world impact as they violate the Xiaomi escooter ecosystem’s safety, security, availability, and privacy. For instance, one attack allows the extortion of money from a victim via a BMS undervoltage battery ransomware. A second one enables user tracking by fingerprinting the BES internals. With extra RE efforts, the attacks can be ported to other BES featuring similar vulnerabilities. We implement our attacks and RE findings in E-Trojans, a modular and low-cost toolkit to test BES internals. Our toolkit binary patches BMS firmware by adding malicious capabilities, such as disabling firmware updates, controlling internal buses, and turning off safety thresholds. It also implements our undervoltage battery ransomware in an Android app with a working backend. We successfully test our four attacks on M365 and ES3, empirically confirming their effectiveness and practicality. For example, our undervoltage battery ransomware deteriorates the M365 battery’s autonomy by 50% in three hours, and our user tracking generates a persistent fingerprint to track the user over BLE while also leaking sensitive data about the e-scooter. We propose four practical countermeasures to fix our attacks and improve the Xiaomi e-scooter ecosystem security and privacy.