Black Hat USA 2025 | Ransomware, Tracking, DoS, and Data Leaks on Xiaomi Electric Scooters

At Black Hat USA 2025, researchers from KTH, URIM and the ITROANS project presented a deep‑dive into the security flaws of Xiaomi’s flagship electric scooters, the M365 and Mi 3. The talk detailed how proprietary Bluetooth‑Low‑Energy protocols and over‑the‑air firmware updates expose the devices to ransomware, battery‑destruction, tracking and denial‑of‑service attacks.

The team identified four critical vulnerabilities: the Bluetooth controller firmware is transmitted unencrypted and unsigned, allowing rogue firmware updates; internal UART communication between the Bluetooth subsystem, motor controller and battery‑management system lacks integrity checks; the battery‑controller can be reprogrammed via the same channel; and the UART bus is susceptible to simple denial‑of‑service. By exploiting these flaws, the researchers demonstrated a suite of attacks, including an over‑voltage battery‑destruction payload, an undervoltage ransomware that locks the scooter, and a fingerprint‑based tracking method that reads unique serial numbers.

One of the highlights was the claim of the “first ransomware for electric scooters,” where an attacker forces the scooter into a low‑voltage state that prevents charging until a ransom is paid. Another novel attack used an over‑voltage command to physically damage the battery cells. The researchers also showed how a malicious app installed alongside the official Mi Home app can silently push these payloads, and they disclosed the findings to Xiaomi over a two‑year responsible‑disclosure process.

The findings underscore the urgent need for manufacturers to enforce signed firmware, encrypt internal bus traffic and harden Bluetooth authentication. For rental operators and end‑users, the vulnerabilities translate into safety hazards, potential financial loss and privacy breaches, prompting regulators and OEMs to reevaluate IoT security standards for micromobility devices.