39C3: Wheelchair Security – When a QR code bypasses all security mechanisms

Contents

IT security researcher and wheelchair user Elfy delved deeply into Alber's e-motion M25 out of personal concern. What drove her, not least, was the manufacturer's pricing policy: steep surcharges are levied for functions such as switching driving modes (99 Euros), a higher speed limit (99 Euros), or remote control via app (99 Euros); a special Bluetooth remote control even costs up to 595 Euros. Elfy wanted to know if these comfort functions are technically really secured – or if access is actually much easier.

Comfort functions behind paywalls

In her presentation at the 39th Chaos Communication Congress (39C3), Elfy explained that all comfort and premium functions of the M25 – such as higher speed, switching between driving modes, or app-based remote control – are activated exclusively via software and paid unlockings. Elfy emphasized that, in her opinion, the hardware is consistently identical and the differences arise solely from the software unlock. Regarding the hardware, she said literally: "The hardware is actually really good, it does what it's supposed to do, and works really comfortably and practically."

In official documents and to authorities like the Food and Drug Administration (FDA) in the USA, the manufacturer emphasizes that all Bluetooth communication is "encrypted" and therefore secure. In a letter to the FDA, it states: "All wireless communications is encrypted." For users, however, this primarily means a price barrier, not actual security, according to Elfy.

QR code as a master key

The core of the security architecture of the e-motion M25 is a 22-digit QR code ("Cyber Security Key") prominently displayed on each wheel hub. The official app scans this code during initial setup and deterministically derives the AES-128 key for Bluetooth communication from it. Elfy explained: "The AES key for each wheel is a QR code glued onto the wheel hub." And further: "With this key, you can completely take over the wheelchair."

There is no additional security, such as salt, hardware binding, or another secret in the device. Anyone with a camera could theoretically photograph the QR code and control the wheel. Elfy added: "And that's what they call a Cyber Security Key." The exact method of key derivation and the technical details are documented in the associated GitHub repository.

Encryption: AES as a fig leaf

According to the manufacturer and Elfy's analysis, a standardized AES-128 encryption in CBC mode is technically used. Elfy said about this: "The nice thing about it is that the cryptography is actually okay. It's AES-128-CBC." But the crucial point is: there is no integrity or authenticity check of the messages. "They just use the standard stuff, PKCS7 padding, and that's it," said Elfy. Neither a Message Authentication Code (MAC) nor an Authenticated Encryption mode (AEAD) is used.

This makes the system not only vulnerable to replay and manipulation attacks but also allows targeted bit-flipping in encrypted messages. Initialization vectors are also not regenerated for each message. Elfy said: "In several places, I had the feeling they know the basics, but then stopped thinking about problems." The encryption implementation is openly visible.

Protocol and Reverse Engineering

The proprietary protocol between the app, remote control, and drive is surprisingly simple, according to Elfy. In the presentation, she said: "In theory, it's really not a complicated thing. There were a few funny design decisions, but it's basic stuff. It's not complicated." Messages contain service IDs, parameters, and payload. Elfy has documented the entire structure on GitHub.

For the analysis, Elfy decompiled the Android app, intercepted firmware and traffic, and created a Python toolkit from it. Elfy reported: "I replaced the remote control, that's several hundred lines of Python code that talk to my wheelchair drive. I was able to replace the parking function. I was able to replace some maintenance functions. I replaced the dealer mode, and this self-driving mode can also be completely done."

Elfy pointed out that the expensive remote controls hardly differ from cheaper variants in terms of hardware: "The hardware of this remote control is almost identical. The more expensive version is a boolean flag in the manufacturer's configuration software. And they market it as two different products."

Software paywalls and dealer functions

The premium features are unlocked purely on the software side via the app. Elfy said about this: "The payment only unlocks the graphical user interfaces in the app. Nothing changes on the drive itself. Only certain parts of the application become visible that are not visible without payment."

Dealer and maintenance functions are also not protected by hardware. Elfy explained: "You have to know the password. It wasn't particularly well hidden. The password was in some PDFs on the internet. But I got the password in plain text from the Android app."

Universal vulnerability with far-reaching consequences

Elfy pointed out that this vulnerability affects all M25 systems: "I've seen two or three others besides mine at this congress. So please don't scan other people's QR codes. Because you could cause damage."

Encryption thus becomes a mere formality, while access control relies on an openly visible sticker. Elfy emphasized that AES-128 is only secure as long as the key remains secret – in the case of the M25, however, the key is openly visible as a QR code on the wheel.

Critical look at medical technology

Elfy's presentation made it clear that strong algorithms alone do not guarantee security. Without well-thought-out key management and robust protocols, control over one's own device ultimately remains with the manufacturer – unless users themselves resort to tools like Elfy's open Python toolkit. The complete analysis, scripts, and documentation can also be found in the GitHub repository.

(vza)