This work presents the first systematic security assessment of battery-powered embedded systems (BES) in shared e-scooters (Xiaomi M365/ES3), uncovering four critical design flaws—particularly in the battery management system (BMS). Method: Leveraging firmware reverse engineering, ARM Cortex-M binary hot-patching, BLE protocol analysis, and a custom penetration toolkit (E-Trojans), we develop a multimodal attack framework tailored to BES. Contribution/Results: We demonstrate four novel, practical attacks: (1) remote/near-field-triggered battery undervoltage ransomware—the first ransomware prototype targeting a commercial BMS; (2) device-level unique fingerprinting for persistent tracking; (3) denial-of-service; and (4) sensitive data exfiltration. All attacks are validated on real-world devices: the ransomware forcibly disables battery functionality, and fingerprinting achieves device-unique identification. We further propose four deployable defense mechanisms, confirmed by the vendor as actionable.

Battery-powered embedded systems (BESs) have become ubiquitous. Their internals include a battery management system (BMS), a radio interface, and a motor controller. Despite their associated risk, there is little research on BES internal attack surfaces. To fill this gap, we present the first security and privacy assessment of e-scooters internals. We cover Xiaomi M365 (2016) and ES3 (2023) e-scooters and their interactions with Mi Home (their companion app). We extensively RE their internals and uncover four critical design vulnerabilities, including a remote code execution issue with their BMS. Based on our RE findings, we develop E-Trojans, four novel attacks targeting BES internals. The attacks can be conducted remotely or in wireless proximity. They have a widespread real-world impact as they violate the Xiaomi e-scooter ecosystem safety, security, availability, and privacy. For instance, one attack allows the extortion of money from a victim via a BMS undervoltage battery ransomware. A second one enables user tracking by fingerprinting the BES internals. With extra RE efforts, the attacks can be ported to other BES featuring similar vulnerabilities. We implement our attacks and RE findings in E-Trojans, a modular and low-cost toolkit to test BES internals. Our toolkit binary patches BMS firmware by adding malicious capabilities. It also implements our undervoltage battery ransomware in an Android app with a working backend. We successfully test our four attacks on M365 and ES3, empirically confirming their effectiveness and practicality. We propose four practical countermeasures to fix our attacks and improve the Xiaomi e-scooter ecosystem security and privacy.