Äike were an Estonian scooter company, which sadly went bust last year. [Rasmus Moorats] has one, and since the app and cloud service the scooter depends on have lost functionality, he decided to reverse engineer it. Along the way he achieved his goal, but found a vulnerability that unlocks all Äike scooters.
The write-up is a tale of app and Bluetooth reverse engineering, ending with the startling revelation of a hardcoded key that’s simply “ffffffffffffffff”. From that he can unlock and interact with any Äike scooter, except for a subset that were used as hire scooters and didn’t have Bluetooth. Perhaps of more legitimate use is the reverse engineering of the scooter functionality.
What do you do when you find a vulnerability in a product whose manufacturer has gone? He reported to the vendor of the IoT module inside the scooter, who responded that the key was a default value that should have been changed by the Äike developers. Good luck, should you own one of these machines.
Meanwhile, scooter hacking is very much a thing for other manufacturers too.
“fffffffffffff” is the sound I make when hearing of another such glaring security omission in devices that are needlessly IoT.
Wow, what a story and hacking skills!
The module’s development environment using a default key of all ‘FF’ is likely because that’s the default state of any one-time-programmable ROM or fuse area. You can accidentally burn ‘FF’ to the device all you want, and it won’t permanently modifying the device, which is great for development.
I wonder if that key is an artefact of erased flash