Zero Days: Electric Motorcycles are a Security Nightmare · PersephoneKarnstein.github.io

A detailed security research writeup exposing critical vulnerabilities in Zero Motorcycles electric bikes. Researchers reverse-engineered the Android app using JADX and Frida, extracted hardcoded credentials from the app's BuildConfig, downloaded firmware from the OTA server using a fake VIN, and discovered the firmware uses only a salted SHA-512 with a static hardcoded salt for verification — no asymmetric signing. This allowed arbitrary firmware signing and installation via Bluetooth without authentication. The CAN bus interface (accessible via OBD-2) also has zero authentication, enabling firmware writes to BMS and BMU components. Researchers pseudocoded a C2 implant that could remotely control torque, regenerative braking, and battery contactors — potentially causing crashes or fires. Disclosure attempts to Zero Motorcycles went unanswered for over 13 months until CERT/CC intervened. Zero has since taken the FOTA server offline and begun implementing ECDSA firmware signing.