Incident: E-scooter Speed Restriction Hacks by Mechanics Lead to Safety Risks

Published Date: 2022-03-22

Postmortem Analysis
Timeline 1. The software failure incident of e-scooter speed restriction hacks, where mechanics were able to override e-scooter speed restrictions, happened in November 2020 [125711].
System 1. E-scooter software system failed to prevent mechanics from overriding speed restrictions [125711] 2. Anti-tampering mechanisms failed to prevent unauthorized modifications to e-scooter software [125711]
Responsible Organization 1. Mechanics offering to override e-scooter software to increase speeds [125711] 2. Private sellers advertising hacked e-scooters using online marketplaces [125711]
Impacted Organization 1. Pauline Lilford, who was struck by an e-scooter traveling at 20mph, resulting in a broken leg and a "smashed up" elbow [125711].
Software Causes 1. Mechanics overriding e-scooter software to remove speed restrictions, increasing top speeds to more than 21mph [125711] 2. Private sellers advertising hacked e-scooters using online marketplaces [125711]
Non-software Causes 1. Mechanics overriding e-scooter speed restrictions physically by tampering with the hardware [125711] 2. Private e-scooter sales leading to illegal use on public highways [125711] 3. Lack of regulations and speed limits for privately-owned e-scooters [125711] 4. Inadequate enforcement of laws regarding e-scooter use on public roads [125711]
Impacts 1. The impacts of the software failure incident involving hacked e-scooters included accidents resulting in injuries to individuals, such as Pauline Lilford who suffered a broken leg and a "smashed up" elbow after being struck by an e-scooter traveling at 20mph [125711]. 2. The incident also led to concerns about the safety risks associated with riding e-scooters at higher speeds, with experts warning that speeds over 15.5mph could increase the likelihood of severe injuries, including skull fractures and fatal injuries in crashes [125711]. 3. There were fatalities reported in crashes involving illegal private e-scooters, with fifteen deaths recorded since 2019, highlighting the serious consequences of software tampering and exceeding speed limits [125711].
Preventions 1. Implementing stronger anti-tampering mechanisms in the software of e-scooters to prevent unauthorized modifications [125711]. 2. Enforcing stricter regulations and penalties for individuals and workshops offering to hack e-scooter software to remove speed restrictions [125711]. 3. Conducting regular audits and inspections of e-scooter workshops to ensure compliance with laws and regulations regarding speed restrictions [125711].
Fixes 1. Implementing anti-tampering mechanisms in the construction of e-scooters to prevent unauthorized modifications [125711]. 2. Introducing software updates by manufacturers to reduce the likelihood of third-party modifications and ensure compliance with speed limits [125711]. 3. Enforcing stricter regulations and making it a criminal offense to tamper with speed limiters on e-scooters to deter individuals from engaging in such activities [125711].
References 1. Mechanics offering to override e-scooter software [Article 125711] 2. Undercover reporter posing as an e-scooter owner [Article 125711] 3. Secret filming capturing a mechanic charging to override e-scooter software [Article 125711] 4. Testing conducted by the BBC to verify increased e-scooter speeds [Article 125711] 5. Private sellers advertising hacked e-scooters on online marketplaces [Article 125711] 6. Victim of an e-scooter incident, Pauline Lilford [Article 125711]

Software Taxonomy of Faults

Category Option Rationale
Recurring multiple_organization (a) The software failure incident related to e-scooter speed restriction hacks has been found to have happened at multiple organizations. Mechanics at various workshops in Kent, East Sussex, and London were offering to override e-scooter software to increase speeds, with some even selling new e-scooters that could travel at speeds exceeding 50mph [125711]. (b) The incident of e-scooter speed restriction hacks has also been reported to have occurred with private sellers advertising hacked e-scooters using online marketplaces [125711].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the article where mechanics were able to override e-scooter speed restrictions by hacking the software [125711]. This indicates a failure due to contributing factors introduced by the system development or updates, allowing for the manipulation of speed limits. (b) The software failure incident related to the operation phase is evident in the same article where individuals were using hacked e-scooters on public roads at speeds exceeding the legal limits [125711]. This showcases a failure due to contributing factors introduced by the operation or misuse of the system, leading to safety hazards and accidents.
Boundary (Internal/External) within_system (a) The software failure incident related to the e-scooter speed restriction hacks can be categorized as within_system. Mechanics were able to override e-scooter speed restrictions by hacking the software, increasing the top speeds beyond the legal limit of 15.5mph [125711]. This manipulation of the software from within the system led to the failure of maintaining the speed restrictions set by the manufacturers.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: - The incident of e-scooter speed restriction hacks was primarily due to mechanics offering to override e-scooter software, increasing top speeds to more than 21mph [125711]. - Manufacturer Xioami limited all scooters sold in the UK to 15.5mph to conform with the standard set across most of Europe, but the software was being hacked to increase speeds [125711]. (b) The software failure incident occurring due to human actions: - Mechanics were actively offering to hack the software of e-scooters to remove speed restrictions, with one mechanic charging £15 to override an e-scooter's software [125711]. - The undercover reporter posed as an e-scooter owner intending to illegally ride on public roads and interacted with mechanics who were willing to hack the software to increase speeds, despite knowing it was for illegal use [125711].
Dimension (Hardware/Software) hardware, software (a) The software failure incident occurring due to hardware: - The article reports on e-scooters being hacked by mechanics to remove speed restrictions, which involves overriding e-scooter software to increase top speeds [125711]. - Mechanics were able to override e-scooter speed restrictions by hacking the software, leading to an increase in top speeds [125711]. - One mechanic mentioned that hacking the software to increase speed could cause strain on other parts of the scooter, indicating potential hardware implications [125711]. (b) The software failure incident occurring due to software: - The main software failure incident in this case is related to the manipulation of e-scooter software by mechanics to remove speed restrictions [125711]. - Mechanics offered to hack the software of e-scooters to increase speeds, highlighting a software-related issue [125711]. - Manufacturer Xioami mentioned limiting all scooters sold in the UK to 15.5mph through software to conform with European standards, indicating the importance of software restrictions [125711].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident in this case is non-malicious. Mechanics were found offering to override e-scooter software to increase the top speeds of e-scooters, which were restricted to 15.5mph. This action was not with the intent to harm the system but rather to provide users with higher speeds for their e-scooters [125711].
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions The intent of the software failure incident related to the e-scooter speed restriction hacks can be categorized as both poor_decisions and accidental_decisions: (a) poor_decisions: The software failure incident can be attributed to poor decisions made by mechanics who offered to override e-scooter software to increase speeds, despite the risks involved. Mechanics were found offering to hack the software to remove restrictions, with one even charging £15 to override an e-scooter's software for illegal use on public roads [125711]. (b) accidental_decisions: The incident also involves accidental decisions or unintended consequences, as some mechanics downplayed the safety risks associated with hacking e-scooters and assured customers that there would be no safety hazards. For example, one mechanic repeatedly claimed there was no risk to the rider or the integrity of the e-scooter when increasing the speed limit [125711].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident in the e-scooter industry, where mechanics were able to override e-scooter speed restrictions, can be attributed to development incompetence. Mechanics were offering to hack the software to remove speed restrictions, increasing top speeds to more than 21mph [125711]. This action goes against safety regulations and poses risks to riders and other individuals. The mechanics involved in this incident lacked the professional competence to adhere to legal requirements and safety standards, leading to the software failure. (b) The software failure incident can also be considered accidental to some extent. While mechanics intentionally offered to override the e-scooter software to increase speeds, the consequences of these actions, such as accidents and injuries, were not their direct intention. The incident of a pedestrian being struck by an e-scooter traveling at 20mph on the pavement in Canterbury, resulting in serious injuries, highlights the accidental nature of the software failure leading to real-world harm [125711].
Duration permanent, temporary The software failure incident related to e-scooter speed restriction hacks can be categorized as both temporary and permanent: (a) Permanent: The software failure incident can be considered permanent as mechanics were able to override e-scooter speed restrictions by hacking the software, leading to a permanent change in the e-scooter's behavior. This change allowed the e-scooters to travel at higher speeds than the legal limit set by the manufacturers [125711]. (b) Temporary: On the other hand, the software failure incident can also be seen as temporary as the manufacturer Xioami promised to introduce a software update in the coming weeks that would "significantly reduce the likelihood of third party modifications" [125711]. This indicates that the software failure caused by the hacks could potentially be temporary if the manufacturer successfully implements the update to prevent further tampering with the speed limiters on e-scooters.
Behaviour crash (a) crash: The software failure incident related to the e-scooter speed restriction hacks can be categorized as a crash. This is because the software modifications made by mechanics to override the speed restrictions on e-scooters led to the system losing its intended state and not performing its functions correctly. The hacked e-scooters were found to be ridden at speeds exceeding the legal limits, posing safety risks to riders and pedestrians [125711].

IoT System Layer

Layer Option Rationale
Perception processing_unit, embedded_software (a) sensor: The incident reported in the news article is related to e-scooters being hacked to remove speed restrictions. This is not directly related to a sensor failure but rather a manipulation of the software controlling the speed limits of the e-scooters [125711]. (b) actuator: The incident does not involve a failure related to an actuator error. Instead, it focuses on mechanics overriding the software to increase the speed of e-scooters [125711]. (c) processing_unit: The failure in this case is related to the processing unit of the e-scooter software. Mechanics were able to override the software restrictions to increase the top speeds of the e-scooters, indicating a failure in the processing unit's control over speed limits [125711]. (d) network_communication: The incident does not involve a failure related to network communication error. The focus is on mechanics manipulating the software of e-scooters to remove speed restrictions, rather than any network communication issues [125711]. (e) embedded_software: The failure in this case is directly related to embedded software error. Mechanics were able to hack the software of e-scooters to override speed restrictions, indicating a flaw or vulnerability in the embedded software controlling the speed limits of the e-scooters [125711].
Communication unknown Unknown
Application FALSE The software failure incident described in the articles is not related to the application layer of the cyber physical system. The incident involves mechanics hacking e-scooter software to remove speed restrictions, which is more related to manipulating the firmware or software of the e-scooters rather than a failure at the application layer of a cyber physical system [125711].

Other Details

Category Option Rationale
Consequence death, harm, non-human (a) death: People lost their lives due to the software failure - A teenage girl riding an e-scooter died following a crash with a van in east London [Article 125711]. (b) harm: People were physically harmed due to the software failure - Pauline Lilford was struck from behind by an e-scooter traveling at 20mph, resulting in a broken leg and a "smashed up" elbow [Article 125711]. - Experts mentioned that riding at speeds over 15.5mph can increase the likelihood of skull fractures and fatal injuries in a crash [Article 125711]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident involved e-scooters being hacked to remove speed restrictions, impacting the functionality and safety of the e-scooters [Article 125711].
Domain transportation (a) The failed system in this incident is related to the transportation industry, specifically e-scooters. The incident involved mechanics hacking e-scooter software to remove speed restrictions, allowing the e-scooters to travel at higher speeds [Article 125711].

Sources

Back to List