UK VSETT Retailer: NFC Exploit is a feature, not a bug.

UK VSETT Retailer: NFC Exploit is a feature, not a bug.

Earlier this year I purchased a VSETT 8+, an e-scooter that it's claimed by the manufacturer can reach speeds of up to 25mph. VSETT also claims a range of 30 miles; although my own usage of the VSETT 8+ would suggest that is more realistically, probably about 10-13 miles total (at least, if you're a tall, chubby bloke like me).

I'll come to the reasons for purchasing the 8+ in a moment, because I know they can be quite a controversal subject; but I want to talk about the NFC locking system which I recently found has a rather dubious exploit.

The 'NFC Locking system' is another feature touted by VSETT retailers, see below, as an immobilisation feature. In theory, it's supposed to put a lock on VSETT e-scooters and immobilise them - effectively stopping anyone from just starting it up and riding off. And, whilst that's certainly true in most cases, there is a flaw in the system that would allow anyone with a few seconds to take full control of the e-scooter and ride off making that entire system and the keys redundant. tout the 'immobilser' NFC KEY LOCK feature
PET (Personal Electric Transport) tout the NFC tag reader lock
PET (Personal Electric Transport) tout the NFC lock as 'innovative NFC card key security system'

I discovered the flaw by accident having been trying to add my mobile to the list of approved 'NFC Keys' which could start the e-scooter and thus apply acceleration. Each time I tried to register my phone, around 10 keys would be added which didn't seem right, so I deregistered all of the keys and out of routine, just switched the 8+ off.

The smarter readers will have realised that as soon as I switched off the scooter, I had locked myself out because none of the NFC keys worked having been deregistered. Gulp

Having realised what I'd done, I sat down in disbelief because I had intended to use the scooter to commute to the first day of an internship the next day. It really was one of those "oh f**k" moments - but I'll come back to that later because it links into why I bought the 8+.

Having sat there for a while, it occured to me that there must be a way to register keys when there are none registered - otherwise, how would the original keys get registered? So I powered on the e-scooter again and went through the process of registering an NFC key again even though the screen remained on 'Card'.

The screen on 'card' with all of the keys deregistered.

I tried to capture the process on video to send to the manufacturer, or at least their UK representative - PET; however when I deregistered the cards a second time, the system simply allowed me to logon without prompting for a key as can be seen in the video below. Irrespective, I registered the keys and was able to capture unauthorised menu use - one of the primary issues with this exploit because all that is happening is a different screen is being displayed, there's nothing prompting for extra security or even to verify that someone is a dealer - the system is just open for use without having logged in as can be seen in the below videos.

The first time it happened, I deregistered the keys as seen in the below screen grab:

The screen for de-registering keys

But was then able to run through the process was active, thus bypassing the security all together:

To be clear, I believe this flaw happens across the entire VSETT range. It's not isolated to the 8+. Every VSETT product with this system will be affected.

I approached the retailer where I purchased my 8+ from PET (Personal Electric Transport) - who by all accounts are not a small voice in the electric transport game - they've a wide selection of products available and have actively gauged their community to raise over £10,000 to fund a judicial review of the law around e-scooters which in my opinion is fantastic and very admirable for a profit driven company.

Screengrab from PET's social media following their raising funds for a judical review

Unfortunately, despite claiming to represent VSETT in the UK and be in regular contact with the VSETT factory. PET dismissed the above stating "it is worth pointing out that the key card system, similar to the original key lock on Zero, is only intended to be a light-touch security system.  Its primary purpose will be to act as a simple barrier protecting against unauthorised use - think family members (kids) or when you quickly pop to a shop.  It is not intended to prevent targeted theft."  before going on further to state that "What you have described as a bug, is simply the method Vsett chose to allow dealers to override the security system and tag a replacement key-card.  Sure, it isn't common knowledge but we feel it is complicated enough to suit its intended application."

Personally, I think this kind of misses the point and is deflective because it's perfectly possible to have a system for dealers to override a security system without it being as simple as a couple of button presses for malicious actors to exploit.

It's lazy to dismiss security as "oh it's just a system for dealers" because no malicious attacker cares who the intended audience is or was, that's why they're malicious. Take the case of the 15 year old who hacked NASA's computer network in the 1990s, with exploits that by today's standard's would be considered criminally negligent. Or perhaps the 15 year old who gained access to intelligence networks from a council house bedroom by pretending to be someone he wasn't.

PET do make a good point though, the NFC system should be used in conjunction with another lock. That's valid and on par with 2FA/MFA. I certainly wouldn't leave my scooter in public and out of view, even if it was 'secure' with a NFC tag, without some form of physical lock. But that doesn't excuse the flaw and given the campaigning that PET are doing to push for better e-scooter laws in the UK, I'd have thought the risk of poor security (and thus a risk of increased theft, vandalism, gang violence etc) would have been a detrement to their case.

If there's one positive that came out of finding the vulnerability, it's that I found out that my solokey works with the 8+.

In terms of why I got the 8+, I had been following the e-scooter trend for quite some time and thought that they were a very good tool for commuting to work and other such places; a task that has actually been very difficult for me because of my reliance on other people, public transport or indeed, bikes or shanks pony.

I'm reliant on those because I suffer from epilepsy, a condition that causes bouts of temporary unconsciousness and uncontrollable shaking. Epilepsy is controllable via medication though and mine is under control. I've been seizure free since 2018. In the UK, the legal requirement is that a person is seizure free for one year before they can obtain a driving license; so I have more than met that qualification, yet despite this, my consultant won't sign for a provisional driving licence (despite having done so in the past and everything going well).

So what am I to do? My freedom and life are being affected by not having a driving license, some jobs require them, some jobs are to far to commute by public transport/bike/walking and lets face it, it's not just jobs. There's socialising, shopping, health/welfare (appointments, gym, barbers etc) and all of the other daily shenanigans that would be easier, less expensive and by far more open to me if I had transport - or in this case, PET.

So, I weighed up the options and took the plunge for an e-scooter. Sure, I may not always be in line with the law when I ride at the moment but I hope that will change - and I try to ride and safely as possible. I always wear a helmet, turn my lights on and where appropriate, I wear the PET branded light bands to make sure that people can see me.

In some ways, I suppose it could be considered a protest purchase. I certainly see no reason to justify limiting myself while teenagers and OAPs in my area are using them; and certainly not whilst I see teenagers on motorbikes and mopeds pulling wheelies and riding dangerously. That is of course, self-interest over the 'group interest' but that's what protest is about - just look at the Insulate Britain protests, for example.

Referring back to the point I made earlier about using the 8+ to commute to an internship. I did end up doing that and it's a great example of how e-scooters are a cost effective and safe way for people to get to jobs that might otherwise be unavailable to them. At the time of writing, it's also worth pointing out that the media are reporting huge fuel shortages across the UK. Yet, I didn't need to consume any of that because the battery had charged, just like a laptop or smart phone would. In that respect, e-scooters are a blessing.

In the meantime, despite the exploit, I'm going to continue enjoying the 8+ and I look forward to watching the legislation develop.