E-Trojans: Ransomware, Tracking, DoS, and Data Leaks on Battery-powered Embedded Systems

Marco Casagrande,Riccardo Cestaro,Eleonora Losiouk,Mauro Conti,Daniele Antonioli
2024-11-26
Abstract:Battery-powered embedded systems (BESs) have become ubiquitous. Their internals include a battery management system (BMS), a radio interface, and a motor controller. Despite their associated risk, there is little research on BES internal attack surfaces. To fill this gap, we present the first security and privacy assessment of e-scooters internals. We cover Xiaomi M365 (2016) and ES3 (2023) e-scooters and their interactions with Mi Home (their companion app). We extensively RE their internals and uncover four critical design vulnerabilities, including a remote code execution issue with their BMS. Based on our RE findings, we develop E-Trojans, four novel attacks targeting BES internals. The attacks can be conducted remotely or in wireless proximity. They have a widespread real-world impact as they violate the Xiaomi e-scooter ecosystem safety, security, availability, and privacy. For instance, one attack allows the extortion of money from a victim via a BMS undervoltage battery ransomware. A second one enables user tracking by fingerprinting the BES internals. With extra RE efforts, the attacks can be ported to other BES featuring similar vulnerabilities. We implement our attacks and RE findings in E-Trojans, a modular and low-cost toolkit to test BES internals. Our toolkit binary patches BMS firmware by adding malicious capabilities. It also implements our undervoltage battery ransomware in an Android app with a working backend. We successfully test our four attacks on M365 and ES3, empirically confirming their effectiveness and practicality. We propose four practical countermeasures to fix our attacks and improve the Xiaomi e-scooter ecosystem security and privacy.
Cryptography and Security
What problem does this paper attempt to address?
The main problem that this paper attempts to solve is the security and privacy issues of the internal attack surface of battery - powered embedded systems (BESs), such as devices like electric scooters, smart phones and drones. Specifically, the paper focuses on the attack risks that the internal components of these devices (such as battery management systems, radio interfaces and motor controllers) may face, especially the goals that remote attackers can achieve by accessing the battery management system (BMS). ### Core Problems of the Paper 1. **Lack of Research on the Internal Attack Surface of BES** - Although BESs are ubiquitous in modern society, research on their internal attack surfaces is very limited. This is mainly because these components are usually manufacturer - specific, proprietary and undocumented. 2. **Design Flaws and Their Potential Threats** - The paper reveals four key design flaws in Xiaomi electric scooters, including remote - code - execution flaws. These flaws enable attackers to carry out remote attacks through malicious applications or Bluetooth Low Energy (BLE) devices, thus affecting the security, privacy and availability of the devices. 3. **Impact of Actual Attacks** - To verify the actual impact of these flaws, researchers developed four new types of attacks (E - Trojans) and successfully tested the effectiveness and stealth of these attacks. For example, one attack can reduce the battery life of an electric scooter by 50% within 3 hours through BMS undervoltage ransomware, and another attack can track users through fingerprint recognition. ### Solutions and Contributions - **Security and Privacy Assessment**: For the first time, the paper conducts a security and privacy assessment of the internal attack surface of electric scooters, especially for Xiaomi M365 and ES3 models. - **Development of New Attacks**: Four new types of attacks (E - Trojans) are proposed, including undervoltage ransomware and user - tracking attacks, demonstrating how these attacks can utilize the discovered flaws to achieve malicious goals. - **Toolkit Release**: An open - source toolkit is developed to carry out these attacks and further reverse - engineer the Xiaomi electric scooter ecosystem, and it can also be used for other similar BESs. - **Experimental Verification**: Through experiments, the feasibility and stealth of the four attacks in real - life scenarios are proven. - **Countermeasure Proposals**: Four effective and backward - compatible countermeasures are proposed to fix the discovered flaws and attacks and enhance the security of the Xiaomi electric scooter ecosystem. ### Summary The paper aims to fill the research gap on the internal attack surface of battery - powered embedded systems, reveals the serious design flaws in these devices, and verifies the harm of these flaws through actual attacks. At the same time, the paper provides specific solutions and tools, providing an important reference for enhancing the security and privacy protection of such devices.