Forum

Major security flaw...
 
Notifications
Clear all

[Sticky] Major security flaw in Supersoco's App API

19 Posts
16 Users
3 Likes
11.3 K Views
Posts: 1
Topic starter
(@ctandi)
New Member
Joined: 3 years ago

Hi everyone,

I'm Andrijan Möcker, an editor for heise online (known German IT news portal) and c't Magazine, the biggest printed tech outlet in the DACH area. We have just published a report on a major security flaw regarding Supersoco's App feature and, since the issue is very likely affecting everyone having that GPRS module installed worldwide, also translated that report into English.

https://www.heise.de/hintergrund/Security-Flaw-Reveals-Location-of-Thousands-of-Electric-Vehicles-Phone-numbers-6032889.html

I'm posting on here because I suspect that we might not have the international range to let everyone affected know. Sadly, Supersoco doesn't want to cooperate with the IT security company VTRUST that found the flaw, so the description is only brief in order to not reveal too much to potential thieves. What I can say is that you as owners can't do anything but to remove the GPRS module to protect your bike.

I will try to answer questions on here as best as I can. If you are with a foreign press outlet and want to report on this, please feel free to contact me via amo@ct.de.

Cheers,
Andrijan

18 Replies
Oscar
Posts: 280
Admin
(@oscar)
Reputable Member
Joined: 6 years ago

This is very concerning... hopefully Super Soco will do something. 
In the Netherlands is a company called GOsharing, this company rents the scooters per minute to share. But this would be bad for them if the app isn’t secure. Because as far as I know they use the same software to power on and gps etc.

Reply
3 Replies
(@socobunny)
Joined: 1 year ago

New Member
Posts: 1

@oscar has this issue been resolved now?

Reply
Oscar
Admin
(@oscar)
Joined: 6 years ago

Reputable Member
Posts: 280

@socobunny I actually don’t know. Hopefully

Reply
(@superbanana)
Joined: 9 months ago

Active Member
Posts: 6

@oscar Go Sharing uses an entirely separate GPRS (Teltonika) module for their fleet. The built-in ECU has no GPRS module. They probably needed way more functionality than what the standard GPRS module offered.

Reply
Posts: 177
(@flyingelectric)
Estimable Member
Joined: 5 years ago

If you aren't using the app what it does pretty much is pin-pointing anyone who gets its hands on "this information" of where your bike is.

Meaning someone can steal it from your parking place. It's very easy to remove it as my guess is if it gets stolen you can't find your own bike?

It's located on the left bottom side of the bike and you can remove it easily by removing a 4x4x2cm box (I think that's the size) from it's connector. DONE.

My bike (late 2018) didn't come with this GPS thingy in the first place and I couldn't get the bike to connect with the "APP". So if you bought it new and don't have that QR code or gotten the bike connected the app there's a slight chance you might not have the gps installed.

Reply
curlyboi
Posts: 28
(@curlyboi)
Eminent Member
Joined: 3 years ago

Thank you for the report. I am opening a new dealership but I am also a security enthusiast so I understand all the implications of your findings.

Am I correct to assume you at least need to know the valid IMEI? Or you can just brute-force all the possibilities and the server never locks you out?

Reply
Posts: 96
(@socomods)
Trusted Member
Joined: 4 years ago

what response has vmoto given?

 

this doesn't effect me directly, but it is very concerning that they are not engaging on this issue

 

perhaps reach out to some of the major motorcycle & vehicle publications for a story to make some noise about it?

 

(BBC & Top Gear too perhaps)

Reply
Page 1 / 3