E-Trojans: Ransomware, Tracking, DoS, and Data Leaks on Battery-powered Embedded Systems

TL;DR

The paper reveals an internal security risk landscape in Xiaomi M365 and Mi3 e-scooters by reverse-engineering BMS/DRV/BTS and UART/I2C channels. It identifies four design flaws enabling remote BCTRL compromise and introduces five E-Trojans (OBD, UBR, UTI, DES, PLR) implemented via a modular toolkit to exploit these flaws remotely or in proximity. The authors demonstrate the attacks on real devices, show potential hazards such as battery destruction and fires, and propose four practical countermeasures (encryption, signing, UART protection, and rate limiting). They also provide an open-source toolkit and report responsible disclosure that led to mitigations in newer models. This work significantly broadens the security focus from external interfaces to internal BES internals and underscores urgent needs for secure firmware boundaries and internal-bus protections.

Abstract

Battery-powered embedded systems (BESs) have become ubiquitous. Their internals include a battery management system (BMS), a radio interface, and a motor controller. Despite their associated risk, there is little research on BES internal attack surfaces. To fill this gap, we present the first security and privacy assessment of e-scooters internals. We cover Xiaomi M365 (2016) and ES3 (2023) e-scooters and their interactions with Mi Home (their companion app). We extensively RE their internals and uncover four critical design vulnerabilities, including a remote code execution issue with their BMS. Based on our RE findings, we develop E-Trojans, four novel attacks targeting BES internals. The attacks can be conducted remotely or in wireless proximity. They have a widespread real-world impact as they violate the Xiaomi e-scooter ecosystem safety, security, availability, and privacy. For instance, one attack allows the extortion of money from a victim via a BMS undervoltage battery ransomware. A second one enables user tracking by fingerprinting the BES internals. With extra RE efforts, the attacks can be ported to other BES featuring similar vulnerabilities. We implement our attacks and RE findings in E-Trojans, a modular and low-cost toolkit to test BES internals. Our toolkit binary patches BMS firmware by adding malicious capabilities. It also implements our undervoltage battery ransomware in an Android app with a working backend. We successfully test our four attacks on M365 and ES3, empirically confirming their effectiveness and practicality. We propose four practical countermeasures to fix our attacks and improve the Xiaomi e-scooter ecosystem security and privacy.

Figures (6)

• Figure 1: E-Trojans block diagram and attacker models. The green rectangle shows e-scooter internals (BMS, DRV, and BTS boards, and UART and I2C buses). The blue rectangle shows BMS components (BCTRL and BMON connected via I2C). We consider a proximity attacker in the BLE range of the e-scooter and a remote one who installed a rogue app (e.g., an e-scooter modding app) on the victim's smartphone. We show four design vulnerabilities affecting the BCTRL (V1, V2) and the UART bus (V3, V4).
• Figure 2: Disassembled M365 (left) and Mi3 (right). We color-coded the boxes to visualize the DRV (orange), the BMS (blue), and the soldered ST-Link wires (fuchsia).
• Figure 3: E-Trojans attack technique. The attacker, impersonating Mi Home, utilizes the Malicious Pairing or Session Downgrade technique from E-Spoofer esp-gh to authenticate to the BTS of the victim's e-scooter. Then, they perform a rogue firmware update that installs a malicious BCTRL, resulting in remote code execution.
• Figure 4: Overvoltage Battery Destruction (OBD). The Malicious BCTRL (the attacker) sets the OV threshold to the highest value (i.e., 4.7V). When the BMON detects overvoltage and tries to mitigate it, the attacker stops it by modifying the overvoltage fault bit, the MOSFET charge bit, and the voltage balancing bits. It also maintains stealthiness by spoofing fake sensor readings to Mi Home.
• Figure 5: Undervoltage Battery Ransomware (UBR). The Malicious BCTRL (the attacker) sets the UV threshold to the lowest value (i.e., 1.58V), locks the escooter, and prevents it from charging (MOSFET charge bit). When the BMON detects undervoltage, the attacker breaks safety protections by altering the undervoltage fault bit, the MOSFET discharge bit, and the voltage balancing bits. UBR maintains stealthiness by spoofing sensor data, but, when triggered, will reveal its presence via BLE advertising. If the user pays the ransom, the ransom payment app submits the restore code that enables firmware updates and flashes the legitimate BCTRL firmware.