Presentation Material
Abstract
Nowadays, smart cars are equipped with a lot of sensors to make cars smarter which can take decisions automatically or logic written in ECU.
But in the same way, motorcycles and scooters become smart and work on electricity. Scooters are becoming smarter and smarter than traditional one which works on gasoline. Intelligent scooters work on usually on one or two ECUs depending on the working style. No one focuses on the smart scooter yet from per cybersecurity standpoint.
In this talk, we will talk about those vulnerabilities that can affect working mechanisms and functional safety standpoints. Our target is Indian OEM, who sold out more than 1,50,000 in the year and sold out more. The same vulnerabilities can be found in all sold-out e-scooters, We will demonstrate the attack where we took control of an e-scooter with the help of a hardware implant attack. The devices used in this research are cost-effective.
The best part of this research talk, we are not only focusing on only attack part but also on TARA which can be beneficial for Automotive and IoT representatives, cybersecurity experts, and manufacturers.
In this research, we reverse-engineered all functionality of e-scooters with respect to Canbus messages and Safery functionality implemented in e-scooters. Main functionality such as acceleration and Deacceleration, side indicator, breaking mechanism, and so on. After reverse engineering of physical e-scooter, we made our hardware implant to set up inside the scooter and we controlled the entire scooter with the help of identified vulnerabilities. We can stop the scooter while driving the scooter remotely. It is a functionality and safety function flaw we found in the scooter itself. We also attacked other models of e-scooter resulted in the same conclusion. We also performed the TARA report on the e-scooter level as per ISO21434 standard and we found some serious risks, these attacks are derived from the TARA report.
AI Generated Summary
This talk examined the security vulnerabilities of electric scooter (e-scooter) controller area network (CAN) bus systems through hardware implant attacks. The research focused on reverse-engineering the typical communication architecture of modern e-scooters, which often feature single or multi-ECU designs with infotainment systems, battery management systems (BMS), and vehicle control units interconnected via CAN.
Key findings revealed that CAN messages in the tested scooters were unencrypted and structured around arbitration IDs and timestamp intervals. By physically tapping the CAN high/low wires, researchers intercepted and decoded these messages, identifying critical safety and control signals related to battery status, motor operation, and system warnings. Using low-cost tools like USBtin, they performed several attacks: replay attacks to resend valid commands, CAN injection to forge malicious frames, denial-of-service to disrupt communication, and bus-off attacks to paralyze the entire network. A proof-of-concept hardware implant, built with an ESP32 and MCP CAN transceiver, was physically integrated into the scooter’s wiring harness. This device could remotely trigger attacks via cellular or Wi-Fi, successfully disabling the motor and infotainment system both while stationary and during operation, demonstrating a realistic danger of causing a moving vehicle to fail.
The practical implication is that e-scooters, like prior automotive systems, prioritize functional safety mechanisms (e.g., BMS warnings) without cryptographic security, allowing attackers to abuse these safety messages to shut down the vehicle. Mitigation requires integrating security by design, such as using authenticated encryption (e.g., within an AUTOSAR framework) and hardware security modules (HSMs), but cost constraints in the low-margin e-scooter market present a significant barrier. The talk concluded that without dedicated security assessment during design, the growing fleet of connected e-scooters remains broadly vulnerable to targeted physical attacks.