Ethical Hacking News
A recent discovery by an Estonian e-scooter owner has exposed a critical flaw in Äike's app-controlled electric scooters. The startup's failure to properly manage keys left its users vulnerable, even after the company went bankrupt. By reverse-engineering his own scooter, the user found that unlocking his ride required no more than accessing the default private key used by all Äike scooters. This case highlights a familiar IoT weakness: default settings left in place without proper key management. The revelation has brought attention to this issue, underscoring the need for companies to prioritize secure key management in their devices.
Äike's e-scooter startup left its users vulnerable due to insecure key management after ceasing operations.The company's app-controlled scooters relied on a phone and backend servers, making them dependent on cloud services that could fail.A Estonian security researcher discovered that the scooters used a default private key instead of unique keys per scooter, allowing him to unlock any nearby scooter.The flaw highlights the importance of secure key management in IoT devices, especially when companies cease operations and leave users vulnerable to exploitation.
Äike, an Estonian e-scooter startup that filed for bankruptcy last year, left its users with a costly lesson in the importance of secure key management. The company's app-controlled electric scooters, which relied on a phone and backend servers to function, were plagued by issues once the startup ceased operations. Owners found themselves locked out of their rides, forced to rely on cloud services that sometimes failed to answer.
Rasmus Moorats, an Estonian security researcher and penetration tester, took matters into his own hands. Instead of trusting his commute to a bankrupt startup's servers, he decided to reverse-engineer his scooter to see how it really worked. A closer look at the Android app and Bluetooth traffic revealed that locking, unlocking, and basic status checks all occurred locally over Bluetooth, with the cloud playing a mostly secondary role.
Before accepting commands, the scooter ran a simple authentication check. It sent a short challenge, the app replied with a cryptographic response, and access was granted. In theory, this was designed to prevent random passers-by from hopping on and riding off. However, in practice, the secret used to generate that response was never properly set. Instead of unique keys per scooter, Äike shipped all models with the same placeholder value: a default private key intended for replacement before production but which simply never happened.
Moorats discovered this flaw after reverse-engineering his own scooter and finding that it had been left with the default private key. This unlocked his scooter without the cloud, an issue he claims is not unique to him alone. With a short script and standard tools, he was able to unlock any nearby scooter, whether belonging to him or another user.
The revelation of this flaw has brought attention to a familiar IoT weakness: default settings left in place without proper key management. Once smart devices die with their makers, reverse engineering becomes less of a hobby and more of a basic ownership skill for owners looking to maintain functionality without relying on cloud services that might fail.
Moorats disclosed the issue to the hardware supplier but found himself at a dead end as the manufacturer was no longer operational. This case highlights the need for companies to properly manage their keys and secure their devices, especially in scenarios where the company ceases operations, leaving users vulnerable to exploitation.
The security researcher's discovery serves as a reminder of the importance of secure key management in IoT devices. As more smart devices enter the market, it is crucial that companies prioritize this aspect of device security to avoid similar issues emerging with other brands.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Flaw-in-ikes-Smart-Scooters-Exposes-a-Familiar-IoT-Weakness-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/01/16/bankrupt_scooter_startup_key/
https://fortune.com/2024/01/25/bird-scooter-bankruptcy-sharing-economy-unicorn/
https://qz.com/bird-the-bankrupt-scootershare-unicorn-owes-money-to-1851115837
Published: Fri Jan 16 06:08:38 2026 by llama3.2 3B Q4_K_M
