Security Flaw Reveals Location of Thousands of Electric Vehicles, Phone numbers

Supersoco, maker of electric bikes, uses a flawed API. Neither the company nor its importer in Germany and Austria seems to want to fix the vulnerability.

Lesezeit: 7 Min.
In Pocket speichern
vorlesen Druckansicht Kommentare lesen

Supersocos electric motorcycles and scooters are available in a vast number of countries – all of them use the same API and cellular GPS trackers.

  • Andrijan Möcker

Hier lesen Sie diesen Beitrag auf Deutsch.

Australian company Vmoto sells its battery powered scooters and motorcycles under the brand name Supersoco. Most of its vehicles feature a GPS tracker with a vehicle interface that sends data to the Supersoco app via the company's servers using a cellular data connection. Among other information, the app displays the vehicle's mileage, its position, the status of its traction batteries, and the phone number of the associated user's account.

Now, during an audit of the Supersoco app, IT security firm "VTRUST" has discovered a serious vulnerability in the company's application interface and the vehicle registration process. The flaw allows third parties to view vehicle data without prior authentication, regardless of whether the users in question have registered their vehicles to the app – the data is transferred to the company's servers regardless and stored there.

The flaw was initially discovered in a Supersoco motorcycle owned by a VTrust employee. To rule out that the bug only affected a small number of vehicles with faulty software, VTrust developed and executed a proof-of-concept script, gaining access to a data set containing information on several thousand vehicles, not all of which had been registered by their owners, with most of them spread across Europe. In a contradiction of the company's own privacy statement, the data also included records that were more than three months old and should already have been deleted.

The material provided to c't indicates that unauthorized access to all of the company's GPS-equipped vehicles is possible at any time. Someone with this information could use and abuse it in various unsettling ways, e.g. to create a movement profile of the user. It seems likely that the data set of 3500 vehicles is only the tip of the iceberg.

The file provided to c't contains 3500 anonymized data sets, each for a two-wheeler made by Supersoco. In all likelihood, more Supersoco vehicles are affected by the same vulnerability.

In an effort at responsible disclosure of the vulnerability, VTrust initially reached out to the Austrian company that imports Supersoco's bikes and scooters to Germany and Austria, Hans Leeb GmbH. The goal was to gain a direct line of communication with the manufacturer to share details of the flaw with the appropriate people there. However, the importer responded neither to numerous emails and calls, nor to faxes or a registered letter sent by VTrusts lawyer. Multiple emails to Supersoco did go unanswered as well.

After almost four months of fruitless communication attempts, VTrust informed c't magazine of the security flaw, demonstrated it in action, and sent us the anonymized data set. In response, c't asked Hans Leeb GmbH and Supersoco for a statement regarding their failure to respond, also inquiring whether they were already aware of any security issues. However, our phone calls to Austria never got past the receptionists, who claimed that the person in charge was "currently unavailable" or "in a meeting". In a last-ditch effort, pointing out the severity of the flaw and providing a few details, c't asked for a callback that never came.

One day before the deadline set by c't expired, Supersoco's privacy officer in Shanghai finally reacted, saying that the company had investigated the issue described by VTrust and found nothing. Additionally, the company claims to have performed a GDPR compliance review in collaboration with TÜV Rheinland (Shanghai), although it didn't share the results of the review with us.

This response is puzzling, since the emails VTrust sent to Supersoco didn't mention any details of the security flaw upon which the company could have based its investigation on. VTrust received a similarly confusing email, albeit for other reasons: Supersoco didn't ask for specifics regarding the vulnerability, promising to take care of the issue itself. Additionally, the company stated that VTrust had no right to allow the press to publish anything on the matter and was prepared to take the matter to court in case the company suffers financial damage as a result of a publication. VTrust's renewed offer of constructive assistance remained unanswered. Similarly, the privacy officer has thus far failed to respond to our inquiry regarding the nature of the review that Supersoco and TÜV Rheinland undertook, why the company remained mute for months, and why it didn't simply request a demonstration of the vulnerability from VTrust free of charge.

Mehr von c't Magazin Mehr von c't Magazin

The data protection and privacy issues this vulnerability causes for owners of Supersoco vehicles are bad enough, but beyond those, it also facilitates theft. The problem: The traction batteries also power the on-board electronic system, including the alarm system. Unless at least one of these batteries is installed, the alarm is offline. However, the GPS tracker has its own separate battery and signals the server when neither of the two slots for traction batteries is in use. Theoretically, owners could keep tabs on stolen scooter's whereabouts using the app, but it stands to reason that the GPS tracker would be the first thing a thief would disable, making tracking impossible.

Example data set: { "account" : "49_157XXXXXXXX", "deviceNo" : "03XXXXXXXXXXXXXX", "deviceId" : XXXXX, "countryCode" : "DE", "isWarnPush" : 1, "historyLocusSwitch" : 1, "userId" : XXXXX, "nowElec" : 34, "endurance" : 34, "gsm" : 2, "gps" : 5, "bindStatus" : 1, "latitude" : 49.XXXXX, "longitude" : 11.XXXXX, "powerStatus" : 0, "voltage" : 4, "loginTime" : "24/03/2021 00:11AM", "lastGpsTime" : "24/03/2021 00:12AM", "createTime" : "09/05/2019 03:54AM", "status" : 1, "title" : "Lose connection with the battery", "statusDesc" : "Your device number:03XXXXXXXXXXXXXX,Your battery has been plugged out or circuit-breaker turned off,please check the vehicle information", "accumulativeRim" : 0, "sleep" : 0, "mileages" : 875.007220159274 }

For now, it seems the only course of action for owners of a Supersoco bike is to get in touch with their local dealership or service partner and have them remove the GPS tracker. Additionally, installing a different tracking solution is probably a good idea. While this means owners will have to give up the use of the Supersoco app, at least until the flaw is fixed, we believe the better data protection and lower risk of vehicle theft easily outweigh this inconvenience.

In consultation with VTrust, c't has informed the appropriate German and Austrian federal agencies of this case and also brought it to the attention of the European Data Protection Supervisor concurrently with the publication of this article.