The beginning.
At the end of last year, I bought an electric scooter. It was something I had been meaning to do for a while, but couldn’t justify until I lived in close proximity to civilisation. The model I ended up settling on was the Segway-Ninebot Max Gen2. It’s a great scooter performance and build quality-wise, but there was one particular thing that I really didn’t like and didn’t consider upon purchase. Activation.
Ninebot is a Chinese company in which Xiaomi has a huge stake. Like most sizeable companies in China, Xiaomi has incredibly close ties to the Chinese government. This company expects me to create an account using their app, confirm the email I used to create that account and then link my newly purchased scooter to that account: in order for me to ride. Not only that, but the app requests permissions such as location to track the where you ride and how you ride. No thank you.
So the question becomes how do I bypass this unacceptable barrier? With a bit of search engine wizardry I found a fairly active community around these scooters. There were tools and Github repositories and it all seemed easy enough: profit. Unfortunately, at the time the Gen 2 was really new so none of these tools had been verified as working (especially for the Australian model). Being a willing guinea pig and confident that I could undo any mistakes I made, I dove in. Luckily for me, existing tools just worked and I could flip the activation bit via Bluetooth without any difficulty (the lack of security is a whole other blog post). That got me wondering if I could push the boundaries a little.
You see, the Australian version of the scooter is intentionally restricted at the factory to comply with our somewhat onerous regulations. Some of these limitations include a 25 KM/H speed limit, the hardware is perfectly capable of more it’s just a software limitation. Although it seemed like custom firmware might be the solution to this problem, another thought came to mind; perhaps its just a simple serial number check. A few searches later and this suspicion was confirmed, forum posts mentioned a golden serial number that would unlock all factory features. The tool I used to activate the scooter also permitted me to change the serial number. 5 minutes later it was done, did some testing and I went on my merry way.
I then got busy with a new job and other life priorities and didn’t use the scooter much for nearly two months. Until this weekend, when I got out and rode around (on private property) while catching up with a friend I hadn’t seen in a while. What I’d done a couple of months ago didn’t really occur to me until I realised, despite that person having the same scooter they kept falling behind me. Not only that, but their battery wasn’t lasting as long as mine. Within an hour I’d helped that friend make the same change to their scooter and we were back at it again. It all fell into place in my head while we rode: Hacking is the act of creating liberty in a world where technology increasingly deprives us of it.
I had liberated this piece of technology for not only myself but for someone else. I was amazingly appreciative of those that did the hard work before me, such that I could share the fruits of their labor.
For a brief period of time in a world where conformity is achingly demanded and attention is fleeting, fraught and fungible we have found true liberty from conformity and regarded what we have.
This raised a few questions in my mind, why is hacking, an act that is essentially the digital equivalent of critical thinking, tarred with the brush of criminality? Why do we discourage individuals from exploring the limits of the systems that control them and fundamentally manipulate them through law and punishment? Why do we further cement this through implementation of regimes such as copyright and DRM?
The answer: because we have convinced ourselves this is okay, nay, necessary for corporate existence, compliance, security and safety. As someone who works in security I can tell you, this doesn’t work.
The very principle of creating walled gardens, also known as security through obscurity, does not work. It never serves the benefit of the end-user (in fact it usually serves to undermine the end-user), it doesn’t provide much if any protection but it most certainly provides the appearance of protection. This veneer of protection is the very same that has convinced us to criminalise and punish those that push boundaries and critically examine platforms, services and applications.
As the Hitch once said: It is the mind-forged manacles that are the hardest to break.
I am by no means saying that we shouldn’t punish criminal hacking. Stealing, fraud and malicious damage are already illegal.
However, we certainly shouldn’t call hacking a criminal activity.
The critical thinking skills that make a good hacker has are the only means by which we will conqueror many of the major issues our species and planet faces over the next few years, decades and centuries. From misinformation, to climate change and surveillance capitalism, we need an army of people asking how and why, rather than blindly accepting the answer dancing in the void.
So where do we go from here?
Hacking is just critical thinking, questioning why something is the way it is and validating the way its enforced in practice and the assumptions made. From there you break those assumptions and enforcements and see what happens. You can break it down into a process like the below.
Next time you buy/acquire/take part in something ask the following questions:
- Understand what you’re looking at, what it is, how it works?
- Does the concept of this product, service, platform, process fundamentally hold up?
- If limitations exist in this product, service platform or process, why do they exist?
- If this reason is negative do I want to continue to use this product, service, platform, process?
- If I desire to continue to use this platform, how can I mitigate, bypass or operate outside of these limitations?
- Once you’ve mitigated, bypassed etc… share what you’ve done with others.
The final step is key, the net positive impact of hacking is in direct proportion to the number of people that know about what you did. It acts as an immunising agent, identifying places where something isn’t right and allowing us to inoculate against that flaw. That is exactly why I modified my friends scooter. Because If I don’t want that model of business, I sure as hell don’t want those I care about subjected to it either. Furthermore, this approach creates accountability for companies and hackers alike.
Use this approach to analyse some components of your life. I mean I am not perfect at this, I bought a scooter that has preinstalled spyware, it was only because of these questions that I avoided it. Take time to answer those questions, get interested in the world around you and if you’re interested in learning more reach out to me.