this post was submitted on 25 Mar 2026
14 points (100.0% liked)

micromobility - Bikes, scooters, boards: Whatever floats your goat, this is micromobility

3503 readers
194 users here now

Ebikes, bicycles, scooters, skateboards, longboards, eboards, motorcycles, skates, unicycles, heelies, or an office chair: Whatever floats your goat, this is all things micromobility!

"Transportation using lightweight vehicles such as bicycles or scooters, especially electric ones that may be borrowed as part of a self-service rental program in which people rent vehicles for short-term use within a town or city.

micromobility is seen as a potential solution to moving people more efficiently around cities"

Recall warnings available here.

Feel free to also check out

!utilitycycling@slrpnk.net

!bikewrench@lemmy.world

!bikecommuting@lemmy.world

!bikepacking@lemmy.world

!electricbikes@lemmy.world

!bicycle_touring@lemmy.world

!notjustbikes@feddit.nl

!longboard@lemmy.world

It's a little sad that we need to actually say this, but:

Don't be an asshole or you will be permanently banned.

Respectful debate is totally OK, criticizing a product is fine, but being verbally abusive will not be tolerated.

Focus on discussing the idea, not attacking the person.

founded 2 years ago
MODERATORS
FartsWithAnAccent@lemmy.world
_haha_oh_wow_@sh.itjust.works
FartsWithAnAccent@kbin.social
FartsWithAnAccent@fedia.io
_haha_oh_wow_@piefed.social
14
Electric Motorcycles Don’t Have To Be Security Nightmares, But This One Was (hackaday.com)
submitted 6 days ago by _haha_oh_wow_@sh.itjust.works to c/micromobility@lemmy.world
1 comments fedilink hide all child comments
 

cross-posted from: https://ibbit.at/post/210427

Once upon a time, they told us we wouldn’t download a car, and they were wrong. Later, Zero Motorcycles stated in their FAQ that you cannot hack an electric motorcycle, a statement which [Persephone Karnstein] and collaborator [Mitchell Marasch] evidently took issue with. Not only can you hack an electric motorcycle, it is — in [Persephone]’s words — a security nightmare.

You should absolutely go over to [Persephone]’s website and check out the whole write-up, which is adapted from a talk given at BSides Seattle 2026. There’s simply way more detail than we can get into here. Everything from “what horridly toxic solvents would I need to unpot this PCB?” to the scripts used in de-compiling and understanding code, it’s all there, and in a lively and readable style to boot. Even if you have no interest in security, or electric motorcycles, you should check it out.

The upshot is that not only were Zero Motorcycles wrong when they said their electric motorcycles could not be hacked, they were hilariously wrong. The problem isn’t the motorcycle alone: it has an app that talks to the electronics on the bike, which take over-the-air (OTA) updates. What about the code linked to the VIN alluded to in that screenshot? Well, it turns out you just need a code structured like a VIN, not an actual number. Oops. By the end of it, [Persephone] and [Mitchell] have taken absolute control of the bike’s firmware, an so have them full control over all its systems.

Why cut the brake lines when you can perform an OTA update that will do the same thing invisibly? And don’t think you can just reset the bike to factory settings to fix it: they thought of this, and the purely-conceptual, never-deployed malware has enough access to prevent that. Or they could just set the battery on fire. That was an option, too, because the battery management system gets OTA updates as well.

To be clear, we don’t have any problem with a motorcycle that’s dependent on electronics to operate. After all, we’ve seen many projects that would meet that definition over the years. But the difference is none of those projects fumbled the execution this badly. Even this 3 kW unicycle, which has a computer for balance control, doesn’t see the need to expose itself. It’s horribly unsafe in very different ways.

From Blog – Hackaday via this RSS feed

top 1 comments
sorted by: hot top controversial new old
[–] litchralee@sh.itjust.works 5 points 6 days ago* (last edited 6 days ago)

Welp, that's an opsec / electronics / micromobility crossover that I wasn't expecting at all.

BTW, in response to a certain comment, OTA updates for vehicles are not mandatory per UN R156 nor ISO 24089:2023. Those regulations specify that if an automobile is shipped with an OTA update capability, then the manufacturer must implement certain security measures to protect the OTA mechanism from attacks or manipulation. This is, quite frankly, common sense: a vehicle that is type-certified for sale should not have a way to render its type-certificate invalid, by way of something that is within the manufacturer's control. A battery catching fire would definitely invalidate the type certificate.

If a manufacturer doesn't implement OTA updates at all, then they obviously don't need to comply with any of those requirements. That said, most automobile regulations don't tend to apply automatically to motorcycles, so perhaps that's why Zero Motorcycle dropped the ball. Still, it points to the problem that the regulation sought to address: OTA updates are badly engineered, result in harm that only accrues to the consumer, and there's no accountability post-sale.