PT-2019-12829 · Xiaomi · Xiaomi M365

Rani Idan

Published

2019-05-31

Updated

2020-08-24

CVE-2019-12500

CVSS v3.1

6.5

Medium

Vector

AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Xiaomi M365 scooter versions prior to 1.5.1

Description The issue allows spoofing of commands, including "suddenly accelerate", due to the lack of server-side authentication check for Bluetooth Low Energy commands. Other affected commands include suddenly braking, locking, and unlocking.

Recommendations For versions prior to 1.5.1, update to version 1.5.1 or later to resolve the issue. As a temporary workaround, consider restricting Bluetooth Low Energy connections to trusted devices until a patch is applied.

Exploit

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2019-12500

Affected Products

Xiaomi M365

PT-2019-12829 · Xiaomi · Xiaomi M365

CVE-2019-12500

Weakness Enumeration

Related Identifiers

Affected Products

References · 3