E-Scooters: An unexpected cyber risk

April 9, 2020 / 5 min read

This article was written in conjunction with students studying risk management at Old Dominion University (ODU).

The introduction of e-scooters has contributed to the growth of micromobility and continuous shifts in transportation as a whole. A recent study estimated that e-scooters could be a $50 billion market by 2025, with approximately 50 percent of usage stemming from Europe and the United States.¹

imagefe9dn

One potential driver of this trend is urbanization: The United Nations projects that 68 percent of the world’s population will reside in cities by 2050. In response to these developments, e-scooter rental companies are placing their scooters in major cities and suburbs across the nation, and even around the world.

E-scooters provide numerous benefits, ranging from fiscal to environmental. However, their increased use is exacerbating existing risks and even creating a host of new ones that warrant consideration. While physical risks have been covered in depth, there are also various concerns pertaining to cyber risks as well. These include:

customer data and fund theft via e-scooter QR codes
geo-location leading to potential kidnap and ransom, and
hacker control of e-scooter operation and e-scooter audio

The Internet of Things, QR codes, and e-scooters

As a connected, Internet of Things (IoT) devices, e-scooters are at risk of a potential cyberattack.

Typically, e-scooters continuously provide their respective companies with real-time data, including: the location of each scooter, how much time a customer spends riding the scooter, and indications if a scooter is not functioning properly. While the IoT provides continuous connectivity, the technology reportedly can lack sufficient cybersecurity measures, thus putting consumers’ data and privacy at risk.

Most e-scooters use QR scanning to link an account to the e-scooter for the user to start riding.² This poses cybersecurity risks that may put a user’s information in harm's way. A 2019 proof-of-concept audit from a security consultancy dove into various vulnerabilities lurking within one popular e-scooter company’s application programming interface (API).³

An absence of sufficiently protective measures against such vulnerabilities can potentially give hackers unauthorized access to an individual’s account, which typically includes financial and personal information, such as credit card details, e-mail addresses, and phone numbers. Additionally, hackers could also potentially procure the rider’s GPS coordinates through the mobile app, possibly exposing him or her to serious harm.

Cyber criminals could replace e-scooter QR codes with fabricated ones that contain embedded malicious URLs. These URLs can lead consumers to unknowingly provide sensitive information or download dangerous malware through phishing schemes. An article in the South China Morning Post detailed how QR code scams in relation to a bike-sharing program in China were on the rise.⁵ The story reports that legitimate QR codes used to unlock bikes were replaced with virus-infected QR codes that scammed users into unknowingly paying money and exposing personal information.

Since e-scooter companies typically keep their consumers’ sensitive information in their servers and databases, attackers may perceive these companies as an appealing target. The hacker’s incentive to seek out e-scooter users as victims can result in major data breaches that leave consumer information exposed and vulnerable. There already have been instances in which cybersecurity flaws have been exploited.

For example, in 2019, a cyberattack was leveled on a Swedish e-scooter company, resulting in the breach of personal information, including the names, e-mails, and phone numbers of 460,000 users.⁶

In addition to exposing data, e-scooters may also be hacked to control operation of the scooter itself⁷ or commandeered to spout obscenities.⁸

Could e-scooter cyber risks lead to more kidnapping?

A new type of street crime is reportedly emerging as data becomes increasingly digitized. Criminals or hackers not only can gain personal information through these exploits, but they also could access the GPS location of the e-scooter and possibly users’ cell phones.¹⁰ An attack on GPS location could allow a hacker to see live updates of customers' locations when they ride e-scooters, possibly exposing personal information, such as their work or home address.

This potential breach of real-time location doesn’t end when the ride concludes. If the GPS location feature on the mobile app is left on, then hackers could potentially continue to keep track of the user subsequent to the completion of the ride. This could potentially increase the possibility of abduction or kidnapping, a crime that reportedly leads to $1.5 billion paid in ransom each year.¹¹

Whether the threats originate from weak information system protections, cybercriminals, or the customers themselves, it appears clear that this relatively nascent technology poses a wide range of risks.

To learn more about e-scooter risks, please visit the ISO Emerging Issues topic page.

Student Contributors:
Savannah Hutchins, Tori Luu, Ruhi Patel, Darian Randolph, and Lauryn Tyson

Bethan Moorcraft, “The Rise of the E-Scooter and Micromobility Insurance,” Insurance Business America, September 23, 2019,
< https://www.insurancebusinessmag.com/us/guides/the-rise-of-the-escooter-and-micromobility-insurance-178637.aspx >, accessed on April 8, 2020.
Maggie Tillman, “E-Scooters in the U.S.: Everything you need to know about the electric scooters from Bird, Lime, and Spin,” Pocket Lint, January 29, 2020,
< https://www.pocket-lint.com/apps/news/144782-e-scooter-invasion-everything-you-need-to-know-about-electric-scooters-from-bird-lime-and-spin >, accessed on April 8, 2020.
App Analysis: Bird, The App Analyses, October 4, 2019, < https://theappanalyst.com/bird.html >, accessed on April 8, 2020.
QR code scam can clean out your bank account, Malwarebytes Labs, July 31, 2019,
< https://blog.malwarebytes.com/scams/2019/07/qr-code-scam-can-clean-out-your-bank-account/ >, accessed on April 8, 2020.
Li Tao, “QR code scams rise in China, putting e-payment security in spotlight,” South China Morning Post, March 21, 2017,
< https://www.scmp.com/business/china-business/article/2080841/rise-qr-code-scams-china-puts-online-payment-security >, accessed on April 8, 2020.
“Scooter rental company hit by massive data leak,” CPH Post Online, March 20, 2019, < http://cphpost.dk/?p=110595 >, accessed on April 8, 2020.
Rani Idan, “Don’t Give Me a Brake: Xiomi Scooter Hack Enables Dangerous Accelerations and Stops for Unsuspecting Riders,” Zimperium’s Mobile Security Blog, February 12, 2019, < https://blog.zimperium.com/dont-give-me-a-brake-xiaomi-scooter-hack-enables-dangerous-accelerations-and-stops-for-unsuspecting-riders/ >, accessed on April 8, 2020.
Lucy Stone, “Hacked Lime scooters play offensive messages,” Brisbane Times, April 23, 2019,
< https://www.brisbanetimes.com.au/national/queensland/hacked-lime-scooters-play-offensive-voice-messages-20190423-p51ghx.html >, accessed April 8, 2020.
Annalee Newitz, “How hacked rental e-scooters could be the future of street crime,” New Scientist, May 1, 2019,
< https://www.newscientist.com/article/mg24232282-900-how-hacked-rental-e-scooters-could-be-the-future-of-street-crime/ >, accessed April 8, 2020.
Amy Bell, “A Guide to Kidnap and Ransom Insurance Coverage,” Investopedia, February 20, 2020,
< https://www.investopedia.com/articles/personal-finance/062915/guide-kidnap-ransom-insurance-coverage.asp >, accessed on April 8, 2020.