Security Engineering: Inside the Scooter Startups

A year ago, ridesharing scooter startups were gearing up for launch. Workers at Bird, Lime, Skip, and Spin were busy improving their app, retrofitting scooters, and most importantly, figuring out the logistics of distributing thousands of electronic scooters along the sidewalks of the Bay Area. These companies were gearing up for a launch in early summer, but one company — nobody can remember exactly who — decided to launch early. First mover advantage, and all. Overnight, these scooter companies burst into overdrive, chucking scooters out of panel vans onto the sidewalk simply to keep up with the competition.

The thing about San Francisco, and California in general, is that it’s a very direct democracy masquerading as a representative government. Yes, there are city council members and a state legislature, but the will of the people will rule. No one liked tripping over the scooters littering the sidewalks, so the scooters ended up at the bottom of a lake. Or in trees. Or in the trash. In time, city permits were issued, just like a hot dog cart or any other business operating on a public sidewalk, and the piles of electric scooters disappeared. Not before hundreds of scooters were vandalized, that is.

It’s still early in the electric scooter rental startup space, but if there’s one company leading the pack, It’s Bird. they’re getting the most press, the CEO was formerly at Lyft and Uber (which explains the press), and they’ve raised nearly a half Billion dollars in funding (which explains the press). Bird is valued at two Billion dollars, and it’s one of four major ridesharing scooter startups. Pets.com had nothing on this.

Despite how overvalued you think a scooter startup might be, they’re still a business, and they’re ruled by the bottom line. Bird has grown a lot in the past year, and with that comes engineering challenges. The Bird scooters must be more resistant to vandalism. The Bird scooters must be harder to steal. Above all else, they must remain in service longer. This is the teardown of how Bird managed to improve their bottom line and engineer a better scooter.

Continue reading “Security Engineering: Inside the Scooter Startups”

The Bedside Light App That Phones Home

Desiring a bedside lamp with a remote control, [Peadar]’s wife bought a Xiaomi Yeelight, an LED model with an accompanying Android app. And since he’s a security researcher by trade, he subjected the app to a close examination and found it to be demanding permissions phoning home to a far greater extent than you’d expect from a bedside light.

His write-up is worth a read for its fascinating run-through of the process for investigating any Android app, as it reveals the level to which the software crosses the line from simple light-controller into creepy data-slurper. The abilities to create accounts on your device, download without notification, take your WiFi details and location, and record audio are not what you’d expect to be necessary in this application. He also looks into the Xiaomi web services the app uses to phone home, revealing some interesting quirks along the way.

This story has received some interest across the Internet, quite rightly so since it represents a worrying over-reach of corporate electronic intrusion. It is interesting though to see commentary whose main concern is that the servers doing the data-slurping are in China, as though somehow in this context the location is the issue rather than the practice itself. We’ve written before about how some mildly sinister IoT technologies seem to bridge the suspicion gap while others don’t, it would be healthy to see all such services subjected to the same appraisal.

As a postscript, [Peadar] couldn’t get the app to find his wife’s Yeelight, let alone control it. That the spy part of the app works while the on-the-surface part doesn’t speaks volumes about the development priorities of its originator.

Image: Xiaomi Yeelight website.

Move Over Baofeng, Xiaomi Want To Steal Your Thunder

To a radio amateur who received their licence decades ago there is a slightly surreal nature to today’s handheld radios. A handheld radio should cost a few hundred dollars, or such was the situation until the arrival of very cheap Chinese radios in the last few years.

The $20 Baofeng or similar dual-bander has become a staple of amateur radio. They’re so cheap, you just buy one because you can, you may rarely use it but for $20 it doesn’t matter. Most radio amateurs will have one lying around, and many newly licensed amateurs will make their first contacts on one. They’re not even the cheapest option either, if you don’t mind the absence of an LCD being limited to UHF only, then the going rate drops to about $10.

The Baofengs and their ilk are great radios for the price, but they’re not great radios. The transmitter side can radiate a few too many harmonics, and the receivers aren’t the narrowest bandwidth or the sharpest of hearing. Perhaps some competition in the market will cause an upping of the ante, and that looks to be coming from Xiaomi, the Chinese smartphone manufacturer. Their Mijia dual-band walkie-talkie product aims straight for the Baofeng’s jugular at only $35, and comes in a much sleeker and more contemporary package as you might expect from a company with a consumer mobile phone heritage. Many radio amateurs are not known for being dedicated followers of fashion, but for some operators the sleek casing of the Mijia will be a lot more convenient than the slightly more chunky Baofeng.

This class of radio offers more to the hardware hacker than just an off-the-shelf radio product, at only a few tens of dollars they become almost a throwaway development system for the radio hacker. We’ve seen interesting things done with the Baofengs, and we look forward to seeing inside the Xiaomi.

We brought you a look at the spurious emissions of this class of radio last year, and an interesting project with a Baofeng using GNU Radio in a slightly different sense to its usual SDR function.

[via Southgate ARC]