Bankrupt scooter startup left one private key to rule them all

January 16, 2026 TH Author

An Estonian e-scooter owner locked out of his own ride after the manufacturer went bust did what any determined engineer might do. He reverse-engineered it, and claims he ended up discovering the master key that unlocks every scooter the company ever sold.

The company in question, Äike, which filed for bankruptcy last year, built app-controlled electric scooters that rely on a phone and backend servers to do as basic a task as turning them on. That setup worked while the startup was still around. Once it wasn’t, owners were left with pricey scooters that only unlocked when the cloud happened to answer.

Some features limped along for a while, others stopped altogether. So rather than trust his commute to a bankrupt startup’s servers, one owner, Rasmus Moorats, an Estonian security researcher and penetration tester, took matters into his own hands and started poking around to see how the scooter really worked.

A closer look at the Android app and Bluetooth traffic showed that locking, unlocking, and basic status checks all occur locally over Bluetooth, with the cloud mostly along for the ride.

Before accepting commands, the scooter runs a simple authentication check: it sends a short challenge, the app replies with a cryptographic response, and access is granted. It’s designed to stop random passers-by from hopping on and riding off. In theory, at least.

In practice, the secret used to generate that response was, Moorats claims, never properly set. Instead of a unique key per scooter, the manufacturer shipped all models with the same placeholder value: a default private key that appears to have been intended to be replaced before production and simply never was.

Once Moorats had worked that out, unlocking his own scooter without the cloud was trivial, and the exact same method works on every other Äike scooter within Bluetooth range, he says. With a short proof-of-concept script and standard tools, he says he was able to unlock any nearby scooter, whether it belonged to him or not.

This isn’t a blueprint for a mass scooter theft spree. Äike never sold scooters at the scale of big rental fleets, and shared scooters appear to use different hardware. Still, the mistake is a familiar one in IoT: default settings left in place, no real key management, and nothing to fall back on once the company vanishes.

Moorats says he disclosed the issue to the hardware supplier, only to be told that key management was the manufacturer’s responsibility – a dead end when that manufacturer is bankrupt.

When smart devices die with their makers, reverse engineering becomes less of a hobby and more of a basic ownership skill. ®