IoT sploit: Bird Scooters

You know those rental scooters which litter the sidewalks everywhere you go now? The App Analyst has a fascinating writeup regarding Bird scooters and the minimal security measures taken.

While I was in Prague this summer, these were a favorite for tourists to use, since the Old Town was just large enough that walking took some time, but not worth renting a car or bike. But little do drunk college kids know that riding these on cobblestones (thud-thud-thud-thud) isn’t much fun!

Looks like Bird does leverage CloudFlare to help with VPN stuff, but they don’t have other protections against location spoofing (such as requiring both GPS and WiFi access), nor do they use certificate pinning.

Although not mentioned in the article, exposing access to the internal / restricted API without any sort of authentication is another boo-boo.

Need help setting up a secure RESTful API? Get in touch.

Bypassing the QR code doesn’t just allow for ‘remote registration’ but can be used to DoS; and the damning bit regarding the Nokelock details being included should definitely be removed.

This is just one example of the burgeoning IoT security landscape which will dominate the internet through the 2020s. I can help; just drop me a line!