Lobsters is a community-driven platform for sharing and discussing links to articles, tutorials, and projects related to technology and programming. Readers can learn about a wide range of topics, from software development and system administration to cybersecurity and artificial intelligence. With user submissions, comments, and voting, Lobsters provides a platform for collaborative learning and knowledge sharing among technology enthusiasts.

Lobsters

A detailed security research writeup exposing critical vulnerabilities in Zero Motorcycles electric bikes. Researchers reverse-engineered the Android app using JADX and Frida, extracted hardcoded credentials from the app's BuildConfig, downloaded firmware from the OTA server using a fake VIN, and discovered the firmware uses only a salted SHA-512 with a static hardcoded salt for verification — no asymmetric signing. This allowed arbitrary firmware signing and installation via Bluetooth without authentication. The CAN bus interface (accessible via OBD-2) also has zero authentication, enabling firmware writes to BMS and BMU components. Researchers pseudocoded a C2 implant that could remotely control torque, regenerative braking, and battery contactors — potentially causing crashes or fires. Disclosure attempts to Zero Motorcycles went unanswered for over 13 months until CERT/CC intervened. Zero has since taken the FOTA server offline and begun implementing ECDSA firmware signing.

Zero Days: Electric Motorcycles are a Security Nightmare · PersephoneKarnstein.github.io