VanMoof going bankrupt, what about my digital bike key?

A few days ago VanMoof (a Dutch E-bike vendor) applied for a suspension of payment, this usually means the company might go bankrupt in the near future. What does that mean for their customers? In this post I’ll share some toughs on the cloud dependency products have these days.

Iedereen met zo'n fancy (hopelijk niet kapotte) #VanMoof fiets, zorg dat je z.s.m. de "encryption keys" exporteert met dit tooltje. Mocht hun server dan uit de lucht gaan, bestaat er nog een kans dat je je fiets nog van het slot kan halen. Zonder keys wordt dat exponentieel… https://t.co/gMZsAMRJoy

— Stephan van Rooij 🕙 (@svrooij) July 12, 2023

Cloud stuff for your bike

So you bought a bike, where do I need the cloud for? You have this app that allows you to lock and unlock your bike with your phone. This is sold as a nice extra feature. It does not use the cloud, it just uses bluetooth to tell the bike to unlock. But to do that you need an encryption key, since all bluetooth communication is encrypted so your neighbor cannot unlock your bike.

This encryption key (your digital bike key) is stored in the cloud. So you don’t need their cloud to unlock your bike, once the app on your phone downloaded the digital key. You also need this encryption key if you want to ride faster (20 mph or 32 km/h is region locked).

Cloud dependency

I’m not against using your phone to unlock your bike. I’m against mandatory cloud requirements. If only they build their app that you can either load your digital bike key through a file import or by entering your account details and using the cloud.

Congratulations with your new bike, would you like to export the digital bike key somewhere safe for future use?

I would have made it that the first time your registered the bike in the app, it would show you a message to export your digital key once.

We seem to be forgetting that we actually bought the thing (bike, car or other electronic device), if I bought something it is mine. And I’ll use it however I want. I don’t like things that you buy and then are confronted with a monthly subscription for something extra. Or even worse that you need the cloud to keep using the device.

Cloud should be optional

The cloud is not all bad, but as shown here there are some serious risks when the cloud is mandatory. Apps to control devices have to be designed for local control first, and might include totally optional cloud services. A cloud (which is just someone else his computer), can help with setting up remote connections for those not that tech-savvy that they can setup a VPN. A cloud can also help to be a fast way to locate a device, but please make sure that you can also just enter the local IP if it’s a networked device.

In my opinion our oven does not need a connection to Russia and China, for me to turn it on when I’m not in front of the machine. If it would be controllable over the local network that would be more then sufficient for me.

Having local control as a starting point and maybe extending it to the cloud for som additional services is way better then having a mandatory cloud dependency. It helps to protect against:

• Devices becoming e-waste if company goes bankrupt.
• Devices still being controllable if internet (or cloud) is down.

And having local control makes the devices more responsive, the signal (in case of our oven) does not need to travel to some server in the United States or some other foreign country an back over the same internet connection just to send a “turn on” message when the oven is on the same wireless network.

Series: Optional cloud

• I disconnected our smart oven, and maybe you should as well
• VanMoof going bankrupt, what about my digital bike key?

Solution for VanMoof owners

A competitor of VanMoof, has created an app that allows you to connect to the VanMoof server one last time, to download your digital bike key (, save it somewhere save?). And use that to unlock your bike in the future if the VanMoof cloud goes down. But there is another problem with that app, it’s not open-source so it’s not sure what they do with your data.

Me being a pessimist. What if this new app downloads your digital bike key, and sent it to a new server together with the location of the lock command. Then a few days later a white unmarked van rolls in the street and unlocks your bike with your own digital bike key and poof your bike is gone.

I cannot recommend this app from a professional standpoint, since I haven’t seen the source. I will however tell everybody that they should save their digital bike key while they still have the chance, by whatever means possible. And if you’re not tech savvy, this app might be your best shot.

More technical solution

There also is an open-source PowerShell script by Stefan Stranger to at least save the encryption key to your local computer, but then you still need some app to send the unlock command.

Heb je een #VanMoof en weet je wat #PowerShell is? Gebruik dit script van @sstranger om je encryptie sleutels veilig te stellen. Je weet immers maar nooit.
Dit is wellicht ook een goed moment om een discussie aan te slingeren of een apparaat (of fiets of auto) wel echt van jouw… https://t.co/IoEg21J4Nk

— Stephan van Rooij 🕙 (@svrooij) July 13, 2023

Paid app

There also seems to be a paid app that you can use to unlock your bike but the same concerns apply here, as it’s not open-source as well.