[Sticky] Major security flaw in Supersoco's App API
I'm Andrijan Möcker, an editor for heise online (known German IT news portal) and c't Magazine, the biggest printed tech outlet in the DACH area. We have just published a report on a major security flaw regarding Supersoco's App feature and, since the issue is very likely affecting everyone having that GPRS module installed worldwide, also translated that report into English.
I'm posting on here because I suspect that we might not have the international range to let everyone affected know. Sadly, Supersoco doesn't want to cooperate with the IT security company VTRUST that found the flaw, so the description is only brief in order to not reveal too much to potential thieves. What I can say is that you as owners can't do anything but to remove the GPRS module to protect your bike.
I will try to answer questions on here as best as I can. If you are with a foreign press outlet and want to report on this, please feel free to contact me via firstname.lastname@example.org.
This is very concerning... hopefully Super Soco will do something.
In the Netherlands is a company called GOsharing, this company rents the scooters per minute to share. But this would be bad for them if the app isn’t secure. Because as far as I know they use the same software to power on and gps etc.
If you aren't using the app what it does pretty much is pin-pointing anyone who gets its hands on "this information" of where your bike is.
Meaning someone can steal it from your parking place. It's very easy to remove it as my guess is if it gets stolen you can't find your own bike?
It's located on the left bottom side of the bike and you can remove it easily by removing a 4x4x2cm box (I think that's the size) from it's connector. DONE.
My bike (late 2018) didn't come with this GPS thingy in the first place and I couldn't get the bike to connect with the "APP". So if you bought it new and don't have that QR code or gotten the bike connected the app there's a slight chance you might not have the gps installed.
Thank you for the report. I am opening a new dealership but I am also a security enthusiast so I understand all the implications of your findings.
Am I correct to assume you at least need to know the valid IMEI? Or you can just brute-force all the possibilities and the server never locks you out?
what response has vmoto given?
this doesn't effect me directly, but it is very concerning that they are not engaging on this issue
perhaps reach out to some of the major motorcycle & vehicle publications for a story to make some noise about it?
(BBC & Top Gear too perhaps)