The exploit relates to an issue with the Bluetooth module on the scooter that is designed to let the device communicate with a rider's smartphone. The researchers were able to connect with a scooter via Bluetooth without being prompted for a password or any other form of identification. Once connected, the researchers found that they could control the scooter from their phone, telling it to slow down or speed up whatever the rider was doing, potentially putting them in a dangerous situation.
Making matters even worse, after Zimperium reported the bug to Xiaomi, the company informed the researchers that they could not fix the issue on its own. Due to working with third-party manufacturers, Xiaomi will have to work with them to fix the issue. The company, in a statement to Engadget, said it is preparing an over-the-air update