**The Defunct Scooter Company and the Default Key: A Tale of Vulnerabilities and Reverse Engineering**
Rasmus Moorats, an Estonian resident, was left with a dilemma when his Äike scooter's app and cloud service went bust last year. The company behind the scooter had shut down, leaving many of its owners without access to their vehicles' functions. Determined to reclaim control over his scooter, Moorats embarked on a journey of reverse engineering the scooter's app and Bluetooth functionality.
As he delved deeper into the code, Moorats achieved his initial goal of unlocking his Äike scooter. However, in doing so, he stumbled upon something far more significant: a hardcoded key that granted access to all Äike scooters. The revelation was startling – the key, it turned out, was simply "ffffffffffffffff". This meant that any Äike scooter, with or without Bluetooth connectivity, could be unlocked and interacted with using this single key.
There was, however, an exception: a subset of Äike scooters used as hire vehicles didn't come equipped with Bluetooth capabilities. These machines remained unaffected by the discovery of the hardcoded key.
Moorats' findings also led him to explore the potential for reverse engineering the scooter's functionality itself. This could have significant implications for users who still own an Äike scooter, particularly considering the company's demise has left them without any official support or updates.
So, what does one do when a vulnerability is discovered in a product with no manufacturer to turn to? In this case, Moorats reported his findings to the vendor of the IoT module inside the Äike scooter. Their response was telling: the hardcoded key was a default value that should have been changed by the Äike developers.
While the story of the Äike scooter's demise and subsequent vulnerability discovery may be specific to this company, it serves as a cautionary tale for other manufacturers in the industry. Scooter hacking is, in fact, very much a thing – and companies would do well to take heed of this example and prioritize security in their products.
For those who still own an Äike scooter, good luck may be needed indeed. Perhaps, however, Moorats' write-up will serve as a reminder that even when manufacturers go under, users can still take matters into their own hands – with the right skills and knowledge, of course.