FacePlant Exploit Puts Skateboarders at Risk, Centralized Software Solutions To Blame
One of the main technology stories of last week revolved around various car manufacturers being forced to release over-the-air updates to avoid software hacks. But it looks like car manufacturers are not the only ones who should worry, as electric skateboards are facing similar software security flaws. The hacking revolution is in full effect, and technological gadgets of transportation apparently pose major health risks.
Hacking Electric Skateboards can Cause Major Physical Harm
There is a vast distinction to be made between the hackable software found in cars, and the software found in electric skateboards. So far, security experts have been able to turn off a few car models, but luckily, without causing a potentially dangerous scenario for the driver or any passengers.
Things are slightly different when it comes to electric skateboards, however, as once this mode of transportation is stopped remotely, the rider will be thrown off. Should this ever happen while crossing a busy street, or being in proximity to a bridge or cliff, the consequences could be quite dire, and in some cases, even deadly.
One of the possible culprits for stopping an electric skateboard dead in its tracks is Bluetooth noise. As electric skateboards use radio frequencies to log GPS and connect to the rider’s mobile device, any sort of interference can cause the software to malfunction. As soon as an anomaly is detected, the most common result is an electric skateboard coming to an abrupt halt and throwing for the rider.
However, that being said, the discovery of radio frequency noise as a culprit could lead to the recreation of this environment for hacking purposes. Richo Healey and Mike Ryan, two security researchers, have been looking at various ways to hack electric skateboards. The results of their combined efforts is called FacePlant and poses a serious threat to owners of electric skateboards.
Richo Healey described the FacePlant exploit as follows:
“The attack is basically a synthetic version of the same RF noise that caused my electric skateboard to throw me off back in Melbourne a while ago. It’s easy to point to this and say, “oh it’s just a skateboard”. But for people who are buying these boards and commuting on them every day … there is risk obviously associated with that…. We explicitly did this research in order to make the devices safer.”
The worrying part is that both researchers tested various electric skateboards from different manufacturers, and all of them have at least one critical vulnerability. All communication between the boards and the remotes is unencrypted, leaving it wide open to outside influence. As a result, the FacePlant exploit’s mode of attack works for nearly every individual electric skateboard in existence, albeit the mechanism of execution is slightly different.
Mike Ryan briefly explained potential use cases for the FacePlant exploit:
“Once you have the ability to write arbitrary firmware, you can change the top speed, change the minimum speed, make the board refuse to stop and ignore the existence of the [remote] controller. And after overwriting the firmware, the skateboard owner would have to refresh the firmware to regain control of the board.”
It goes without saying that the execution of a malicious attack against electric skateboards poses a major threat to everyone in the vicinity. Not only the board rider, but also car drivers, pedestrians, cyclists or even animals are put at risk due to what this exploit can do. Once the rider is locked out of the firmware, there is no way to stop the device’s streak of destruction until it moves out of Bluetooth range from the attacker.
Centralized Software Solutions Need to be Replaced
The main cause of concern for such software vulnerabilities lies within the software ecosystems themselves. Every individual manufacturer uses a centralized, proprietary software solution. Additionally, this also means that any bug fixing or vulnerability patching efforts can only be completed by the company.
In the case of Boosted, the company most threatened by the FacePlanet exploit, the vulnerability has been reported back in September of 2014. To this very date, however, the company has still not patched the vulnerability despite promises of having a mitigation technique against the attack in place.
Decentralized software solutions are needed if companies want to make this world a safer place. Now that cars, electric skateboards and possibly even electric bikes are vulnerable to remote control hacks, doing things by foot seems less of a hassle all of a sudden.
What are your thoughts on the FacePlanet exploit, and are you worried about electrical devices being vulnerable? Let us know in the comments below!
Images courtesy of Boosted, Shutterstock, Gizmodo