cross-posted from: https://ibbit.at/post/210427
Once upon a time, they told us we wouldn’t download a car, and they were wrong. Later, Zero Motorcycles stated in their FAQ that you cannot hack an electric motorcycle, a statement which [Persephone Karnstein] and collaborator [Mitchell Marasch] evidently took issue with. Not only can you hack an electric motorcycle, it is — in [Persephone]’s words — a security nightmare.
You should absolutely go over to [Persephone]’s website and check out the whole write-up, which is adapted from a talk given at BSides Seattle 2026. There’s simply way more detail than we can get into here. Everything from “what horridly toxic solvents would I need to unpot this PCB?” to the scripts used in de-compiling and understanding code, it’s all there, and in a lively and readable style to boot. Even if you have no interest in security, or electric motorcycles, you should check it out.
The upshot is that not only were Zero Motorcycles wrong when they said their electric motorcycles could not be hacked, they were hilariously wrong. The problem isn’t the motorcycle alone: it has an app that talks to the electronics on the bike, which take over-the-air (OTA) updates. What about the code linked to the VIN alluded to in that screenshot? Well, it turns out you just need a code structured like a VIN, not an actual number. Oops. By the end of it, [Persephone] and [Mitchell] have taken absolute control of the bike’s firmware, an so have them full control over all its systems.
Why cut the brake lines when you can perform an OTA update that will do the same thing invisibly? And don’t think you can just reset the bike to factory settings to fix it: they thought of this, and the purely-conceptual, never-deployed malware has enough access to prevent that. Or they could just set the battery on fire. That was an option, too, because the battery management system gets OTA updates as well.
To be clear, we don’t have any problem with a motorcycle that’s dependent on electronics to operate. After all, we’ve seen many projects that would meet that definition over the years. But the difference is none of those projects fumbled the execution this badly. Even this 3 kW unicycle, which has a computer for balance control, doesn’t see the need to expose itself. It’s horribly unsafe in very different ways.
From Blog – Hackaday via this RSS feed
Welp, that's an opsec / electronics / micromobility crossover that I wasn't expecting at all.
BTW, in response to a certain comment, OTA updates for vehicles are not mandatory per UN R156 nor ISO 24089:2023. Those regulations specify that if an automobile is shipped with an OTA update capability, then the manufacturer must implement certain security measures to protect the OTA mechanism from attacks or manipulation. This is, quite frankly, common sense: a vehicle that is type-certified for sale should not have a way to render its type-certificate invalid, by way of something that is within the manufacturer's control. A battery catching fire would definitely invalidate the type certificate.
If a manufacturer doesn't implement OTA updates at all, then they obviously don't need to comply with any of those requirements. That said, most automobile regulations don't tend to apply automatically to motorcycles, so perhaps that's why Zero Motorcycle dropped the ball. Still, it points to the problem that the regulation sought to address: OTA updates are badly engineered, result in harm that only accrues to the consumer, and there's no accountability post-sale.