Security Engineering: Inside The Scooter Startups

A year ago, ridesharing scooter startups were gearing up for launch. Workers at Bird, Lime, Skip, and Spin were busy improving their app, retrofitting scooters, and most importantly, figuring out the logistics of distributing thousands of electronic scooters along the sidewalks of the Bay Area. These companies were gearing up for a launch in early summer, but one company — nobody can remember exactly who — decided to launch early. First mover advantage, and all. Overnight, these scooter companies burst into overdrive, chucking scooters out of panel vans onto the sidewalk simply to keep up with the competition.

The thing about San Francisco, and California in general, is that it’s a very direct democracy masquerading as a representative government. Yes, there are city council members and a state legislature, but the will of the people will rule. No one liked tripping over the scooters littering the sidewalks, so the scooters ended up at the bottom of a lake. Or in trees. Or in the trash. In time, city permits were issued, just like a hot dog cart or any other business operating on a public sidewalk, and the piles of electric scooters disappeared. Not before hundreds of scooters were vandalized, that is.

It’s still early in the electric scooter rental startup space, but if there’s one company leading the pack, It’s Bird. they’re getting the most press, the CEO was formerly at Lyft and Uber (which explains the press), and they’ve raised nearly a half Billion dollars in funding (which explains the press). Bird is valued at two Billion dollars, and it’s one of four major ridesharing scooter startups. had nothing on this.

Despite how overvalued you think a scooter startup might be, they’re still a business, and they’re ruled by the bottom line. Bird has grown a lot in the past year, and with that comes engineering challenges. The Bird scooters must be more resistant to vandalism. The Bird scooters must be harder to steal. Above all else, they must remain in service longer. This is the teardown of how Bird managed to improve their bottom line and engineer a better scooter.

The Economics of Scooter Rentals

The economics of Bird scooter rentals has been covered in-depth, but came mostly in the middle of last year during the increasing distribution and meteoric descent of ridesharing scooters. The best assessment of Bird’s economic model from this time comes from Haje Jan Kamps of Bolt. The unit economics of Bird scooters actually makes sense, and a scooter rental company can actually make money. The key is how many times the scooters are used before they become unsalvageable.

There are problems with this economic assessment; the assumptions are wrong, and the back-of-the envelope calculation that Bird was spending $400 to put a single scooter on the road was incorrect. According to The Information, in May — a month after Jan Kamps assessment — Bird was spending $551 per scooter. This affects the numbers, but not the calculations. If a scooter can last long enough to generate a profit, Bird will make money. Everything else is secondary.

And so we come to the engineering problem. How do you improve the design of a scooter to last longer? Any problem with Bird’s financial plans aren’t tied to laws or city permits. The core problem is making the scooters last longer, and over the past year they’ve been improving their devices.

Four different versions of Bird scooters. Image credit: reddit user ITTVx

There are in fact two (or three, or four, depending on your interpretation of ‘wide distribution’) different versions of Bird scooters. The first, and original, is a rebranded Xiaomi Mijia M365 electric scooter. This is not the ‘secret sauce’ Bird keeps close to their chest; resources for Bird Mechanics (people who are paid to repair Bird scooters on the street), refer to this version of the Bird as the M365. The parts are identical. Whatever can be gleaned from the mechanic guide and the actual manual of the Xiaomi M365 reveals these scooters are identical. Since the M365 is a consumer scooter, you can also buy replacement ‘dashboard boards’ to replace the Bird brain, allowing you to take garbage off the street and turn it into your own personal scooter.

As an aside, concerning the M365 scooter, the most valuable component in the scooter is the battery pack. You can buy an entire scooter for about $400. A replacement battery pack containing thirty 18650 cells, with the associated connectors, thermistors, balance charging connectors, and a handy wall-mountable frame, costs $220. This reinforces my belief that the ultimate use of discarded Bird scooters is not as liberated scooters, but as the raw material for a Tesla-style Power Wall. Even considering the cost of raw cells, thirty 18650 cells would cost about $100. The batteries are the golden egg inside Bird’s scooters.

The second main model of Bird scooter is the Bird ESB / ESX. These scooters are manufactured by Ninebot, a subsidiary of Segway, and are vastly more substantial scooters. They weigh more, they’re sturdier, and more importantly to Bird’s bottom line, they are vastly more secure. However, being more robust comes at a cost: the retail price of the Ninebot scooter is approximately $150 more than the Xiaomi M365.

Brain Comparison.

The Bird Brain 1.3, found in the Xiaomi scooters.

The first generation of Bird scooters, based on the Xiaomi M365, used what can only be described as a prototype-level electronics board. The process of converting was simple enough: rip out the Xiaomi controller board, put in a Bird Brain loaded up with a Particle Electron dev board, add a standard, off-the-shelf GPS breakout board, and add a few connectors so it will drop into the Xiaomi frame.

There is no secret sauce to the first versions of the Bird Brains. This is a PCB populated with breakout boards. In terms of engineering, it’s a quick way to get a product out the door, but it is expensive; a better, cheaper solution would be to find a System-on-Module (SoM) that can do cellular and GPS. Tighter integration leads to lower costs.

Although the first version of the Bird Brain was marginally acceptable from an electrical engineering standpoint, mechanically, it failed. The enclosure for the Bird Brain was insufficient, and there are videos of Bird users smashing the Brain box with a rock to disable the scooter. With proper tools (a single screwdriver), the Bird Brain could be completely disabled and discarded in less than two minutes. Again, how-to videos for how to disable an M365 Bird scooter exist.

Replacement controller boards Xiaomi scooters costs $30 which means that stealing a Bird scooter costs $30 (two minutes of time). I haven’t seen a moniker for de-braining a Bird scooter to turn it into your very own personal transportation device — so I’m calling it Bird Boxing.

The V.2 Bird Brain, designed by Mobilogix. Image credit: FCC

The new Bird scooters, on the other hand, are more integrated and more secure. The design of these brains were contracted out by Bird to Mobilogix, manufacturers of asset tracking and IoT devices.

Notable features of the Mobilogix boards include a much, much more integrated design. Instead of Particle dev boards, this board features a Quectel wireless module with an integrated GPS receiver. The connectors for this board are not designed to fit the wires of an existing scooter, instead the scooter and brain board were designed in tandem. Overall, the V.2 Bird Brain is vastly more integrated, a cleaner design, but still slightly overkill. There’s no reason for Mobilogix to use a Cat-1 modem for a device that is sending a few dozen bytes to Bird servers every few minutes.

But Bird learned a lesson with dozens of their scooters finding their way to the bottom of Lake Merritt. The mechanical design of this enclosure is robust. The plastic is polycarbonate, instead of the cheaper ABS found in the first Bird scooters. There’s a gasket meant only for security, as the holes for the buzzer/beeper allow for water intrusion. The installation of the V.2 bird brain requires security Torx screws, where the first Bird Brain was held together with Philips screws and snap-fit plastic. This is much more robust, and the only apparent reason is to deter theft.

A More Expensive Scooter Makes More Money

There is no doubt in my mind the rev 2 scooters, these are the ESB /ESX made by Segway/Ninebot, cost more than the Xiaomi scooters. The tighter integration found in the ESB / ESX and the Bird Zero Brains might save a bit of money, but the ESB / ESX chassis is much more expensive, nearly doubling the cost. The plastic enclosure for the ESB / ESX scooter is more expensive, and the fasteners are more expensive. Bird makes up for this with more riders per scooter lifetime.

This view is reinforced in an interview with Bird CEO Travis VanderZanden. At a summit that’s so hip the chairs were made of Astroturf, VanderZanden said, “Clearly the unit economics didn’t work on those [early] scooters, but that was a test anyway… We quickly scrambled and started creating our own scooters. What we see on the unit economics of those, it’s like night and day.”

What we see here is more evidence Bolt’s assessment was correct: if the scooters live long enough, the company will turn a profit. This becomes a case of Security Engineering, the field that’s responsible for making things tamper-proof and vandalism-resistant. Human Factors also come into play; it’s harder to throw a 30-pound scooter into a lake than a 15-pound scooter. These are subjects we don’t talk about very often on Hackaday, for understandable reasons. Generally, we want to know how to get into something and where our box of security bits went to. We’re not usually designing against vandalism. This, though, is a perfect case study. While Bird is a company that’s only worth Billions on paper, they have managed to do something that doesn’t immediately make sense: they’re spending more on their product, and they’re making more in return.

61 thoughts on “Security Engineering: Inside The Scooter Startups

  1. It’s frustrating how California makes itself so eco-friendly by cutting carbon emissions from cars, and instead increasing carbon emissions Fromm xiamoi factories, and dumping lipo cells in lakes and trash.
    This seems to be a wonderful example of a solution looking for a problem. It’s the ‘saving ourselves through technology’ mentality.
    Instead what’s needed is perhaps a simple psychological hack like encouraging walking and increasing petrol tax?

    Great article though, and interesting to see the evolution of the scooters.

      1. Yes! I have a cheap little kick scooter (not sure if that’s the proper term, but to distinguish it from electric ones). It doubles my speed against walking (and I’m a fast walker).

        1. This always seemed a little funny to me. Leather lasts longer and I have had the same leather jacket for 20 years and I have gone through probably 10 synthetic jackets in that time still have them but they have holes or other issues and I wear the leather jacket more days out of the year. The synthetic jackets wear out or tear or sometimes melt. The have a leather jacket is from the 70s and my leather boots have lasted for the past 4 years or almost constant wear just a resole is needed.

      1. EVs are the future but most don’t want to talk about how polluting rare earth mining is or that cobalt has become a blood diamond.
        Or if the vehicle is not easily repaired and has a long service life it’ll never amortize the emissions debt of it’s manufacturing.

    1. > psychological hack like encouraging walking and increasing petrol tax?

      That’s not a psychological hack, that’s just plain old extortion.

      Aka. How to get the cat to eat the hot mustard? Spread it on its anus, and it has to lick it off.

        1. In life there’s always the possibility that you may be the “ignorant prick” and your attempt to “save” something may be doing more harm than good. It’s a basic problem inherent with the lack of omniscience.

        1. It’s not the job of a city to decrease car usage. It’s their job to provide sufficient roads for the way of transportation choose. A bike is a sports device, not a means of transportation. It is not acceptable that this sh*tty environmentalists decide how I live my life or how I use my time.

          1. A bike is a sports device, not a means of transportation.
            A motorbike is a sports device, not a means of transportation.
            A car is a sports device, not a means of transportation.

            True? I doubt.
            Transportation means getting you from A to B. Maybe 80 kg, but instead you have to move ~2 tons of car metal.
            Compare that to a scooter or a bike. (0.010 to 0.020 tons)
            Getting some fresh air is also good in my opinion.
            less cars > more fresh air + less noise + more space (~100m^2 per car for roads) > healthy for the people and environment.
            The city administration should care about that, and you should too if you like your friends and family :)

  2. How is the rental process managed? Does the “system” let a person take a unit without first identifying themselves and (presumably) providing a means for payment? Shouldn’t that renter be on the hook if the unit is lost or destroyed while in their possession?

  3. I would love to see actual numbers supporting the claim that they are a successful company beyond “it’s been funded for lots of money so clearly it good.” As we’ve seen with Theranos, Energous, and U-Beam just because investors throw money at you does not make your idea good or profitable. Sales reports please oh please sales reports. Prove to me the economics of durable was worth it, don’t just go, we’ll the CEO says so so it must be true. Of course the CEO says the change was good. If he says it was bad investors won’t throw more money at him.

    1. I’m not disputing your point. But the companies you named were vaporware — their product never actually came to market. I don’t think you can compare the scooter companies to those since these are actually produced and being used by customers.

      1. Fair point. So instead I’ll name, Juicero, June (a toaster oven), Sprig, Beepi. There are A LOT of ventures that are funded in silicon valley and for a short while some even sell products. That doesn’t make them good or profitable. (I know Mike your not contesting point just reinforcing mine per your semi suggestion).

  4. Woooowwwww! Torx “security” bits and electronics where you can’t just unplug it! Instead you have to CUT SOME WIRE and crimp on another connector!

    While the value of these is in the motor and the batteries, and until someone figures out how to integrate challenge-response into actual battery pouches / 18650 cells, these are only ever going to be a little bit less stealable.

    It only takes a group of smart kids somewhere poor, to set up scooter-theft-as-a-service. As in, individuals go out and steal the scooter themselves, wrapping alu foil round the brains to shut the modem up, or perhaps cutting the power wire to the brain if that’s enough. Then the skilled ones, the brains, either come by your house and do the crimping and Torxing, or possibly sell you a kit, with an Arduino, a custom shield, some MOSFETs and the Torx screwdriver.

    Not sure how it would most optimally work out as a way to apply brains to making money. Ideally would be a model a bit like Playstation mod chips, where the bypass device itself isn’t illegal to make or sell, and can have a cover story as a replacement for broken controller boards or a control board for DIY builds, just add the heavy hardware, batteries wheels motor etc.

    There’s also the possibility of anyone boobytrapping these scooters for any reason they feel like. If a Bird takes someone’s leg off, in the name of whichever cause, it would surely be a huge problem for Bird Inc to guarantee the safety of the rest of the fleet, since theirs is a very hands-off ownership.

    Finally I wasn’t aware of a massive demand for electric scooters anyway, only thwarted by the high price of purchasing one. None of that is the case. So they’re renting out something people can easily afford, but haven’t chosen to buy.

    Overall I suppose the whole thing serves the purpose of illustrating there’s still plenty of investment money, for a man with a daft idea and a brass neck.

    1. It’s largely a matter of convenience–nobody really wants to deal with hauling around an electric scooter at the mall, or on campus, or trying to find somewhere to leave it that it won’t get stolen. A rental scooter, however, only has the problem of potentially being unavailable when they get back, which just means they have to walk to a different one.

    2. You are giving criminals too much credit. If a torx bit and crimping can deter the majority of the vandals then it’s successful. That extra 2% that are hackers are an acceptable loss. Most people who know how to do that have jobs and better things to do with their time.

      “There’s also the possibility of anyone boobytrapping these scooters for any reason they feel like”
      Anything can be boobytrapped, anything at all. Fortunately the world has few psychos and this isn’t a real issue.

      1. The sort of people who’d bother swapping out the brain board wouldn’t find crimping and a Torx bit any challenge, you can get Torx drivers dirt cheap online or in many shops. There’s pound shops in the UK do a screwdriver with 30 or so swappable bits, 4 Torx among them. You can crimp with a pair of flat-nose pliers if you can’t find a cheap crimper. Or some sort other of bodge.

        Yes anything could be booby trapped, but these are something the public use, like a litter bin, but that’s expected to be moved about, appear and disappear from kerbsides. You could take one to some quiet wasteground somewhere, fit the “adaptation”, then drive it back somewhere public for it’s next user. The surprise can be set to trigger days later. However long, you could find out the servicing period for them if you really tried.

        1. Nah I’m talking encrypted batteries (strictly: cells). If you don’t have the right key to answer it’s challenges, you don’t get any power! Think like inkjet cartridges… now you’re gettin’ it! Yes, a completely evil model whereby something mundane is made more valuable than gold.

          They already fit controller chips into many lithium batteries. It only takes some arsehole with a big idea… what HAVEN’T they tried to add useless encryption to, or twist the sale of something into a “you don’t own it, you only pay for a license to use it” model? Rentable batteries, with a fixed number of charges, why not?

          THAT’S the evil I shouldn’t be speaking of, but I’m sure there’s 10 groups of geniuses somewhere just graduated MIT or somewhere figuring out how they can do it. Or else apply the “inkjet / Windows /. razors ‘n’ blades” model to porridge or sparrows or oxygen or something.

  5. the scooters represent a moral test of DIY-ers. so the conclusion could be drawn that either the hardware is not worth the effort, DIY-ers in general have strong morals, or the sheer amount of scooters outweigh the amount of immoral DIY people in any given area.

  6. As a consumer I want to see if the improvements to the sturdiness of the scooter itself have made it into products I could buy. Assuming consumers take care of the items they buy then not all the changes will be useful, e.g. 30 pounds vs 15, but longevity is always appreciated.

    1. People who live in really boring weather where it’s apparently sensible to ride scooters for a substantial portion of the year.

      Meanwhile, the Segway also failed to change the world.

      1. I see these companies failing harder than Segway on a side note I look forwards to seeing a cheap supply of motors and 18650 cells showing at auction sites and electronics surplus retailers.

        1. Convert 30 scooters into a useful electric car! You might also need a scrapped body from an actual car, probably welding all that tube section together otherwise would result in an ugly car.

    2. In some big cities, driving and parking is more of a nuisance than it’s worth. Hence why yellow taxis are so associated with NYC. So for the non-car people it’s an alternative to walking or public transport.

  7. The convenience of lime bikes and scooters for me for a week as a tourist while on a conference was huge in San Diego. I toured far futher afield than I ever would have, had many more restaurant choices, and even moved hotels with my carry-on in front of me on the scooter. “Parking” was nicely done on the footpath out of the pedestrian flow by most users. Critical numbers meant never more than 2 blocks to find one. They were awesome. They were cheapish and the rides at sunset past the midway were awesome. I even commuted to the airport on one for a laugh!

  8. I live too far away from planned communities and metros to hack these.. Looks like all they do is poll a dataceneter over GPRS and EDGE for activation descriptors.. A wireless-stack memory corruption or configuration bug would allow you to locally activate with a cellphone paying nothing..

    You would need either bluetooth or SDR from what I read. BT is likely disabled.

  9. I live too far away from planned communities and metros to hack these.. Looks like all they do is poll a datacenter over GPRS and EDGE for activation descriptors set bike a transaction from the QR code.. A wireless-stack memory corruption or configuration bug would allow you to locally activate with a cellphone paying nothing..

    You would need either bluetooth or SDR from what I read. BT is likely disabled.

  10. It seems they do have a valid use case but the implementation is flawed. Dedicated parking areas could be one thing – which the company would need
    To pay the relevant council/business for, which would eat into profits but that’s business.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.