Once upon a time, they told us we wouldn’t download a car, and they were wrong. Later, Zero Motorcycles stated in their FAQ that you cannot hack an electric motorcycle, a statement which [Persephone Karnstein] and collaborator [Mitchell Marasch] evidently took issue with. Not only can you hack an electric motorcycle, it is — in [Persephone]’s words — a security nightmare.
You should absolutely go over to [Persephone]’s website and check out the whole write-up, which is adapted from a talk given at BSides Seattle 2026. There’s simply way more detail than we can get into here. Everything from “what horridly toxic solvents would I need to unpot this PCB?” to the scripts used in de-compiling and understanding code, it’s all there, and in a lively and readable style to boot. Even if you have no interest in security, or electric motorcycles, you should check it out.
The upshot is that not only were Zero Motorcycles wrong when they said their electric motorcycles could not be hacked, they were hilariously wrong. The problem isn’t the motorcycle alone: it has an app that talks to the electronics on the bike, which take over-the-air (OTA) updates. What about the code linked to the VIN alluded to in that screenshot? Well, it turns out you just need a code structured like a VIN, not an actual number. Oops. By the end of it, [Persephone] and [Mitchell] have taken absolute control of the bike’s firmware, an so have them full control over all its systems.
Why cut the brake lines when you can perform an OTA update that will do the same thing invisibly? And don’t think you can just reset the bike to factory settings to fix it: they thought of this, and the purely-conceptual, never-deployed malware has enough access to prevent that. Or they could just set the battery on fire. That was an option, too, because the battery management system gets OTA updates as well.
To be clear, we don’t have any problem with a motorcycle that’s dependent on electronics to operate. After all, we’ve seen many projects that would meet that definition over the years. But the difference is none of those projects fumbled the execution this badly. Even this 3 kW unicycle, which has a computer for balance control, doesn’t see the need to expose itself. It’s horribly unsafe in very different ways.
“The upshot is [made a claim about security that turned out to be false].” Why is this an upshot? I don’t see anything good coming from a company lying about security.
Overall this seems to fit in very well with other articles over the years about the poor state of security in modern vehicles (electric or otherwise).
“Upshot” is another word for “result” or “outcome”, not “upside”. FWIW.
Ohhh, I’d never seen that before, thanks.
You haven’t seen that before because it’s wrong.
Up/down is good/bad. When we feel happy we are up, when we feel sad we are down. “Upshot” has an implicit positive connection. It’s not merely a replacement for result or outcome.
You can also use it for dark humour where the upside isn’t really an upside. There’s layers.
You’re wrong.
TTG specifically.
Do you weep anytime you download something?
You are wrong.
“upshot” being a synonym for “result” or “outcome is literally the only way I have ever seen this used.
…but I suspect this is a non-USA word which gets misinterpreted by Yanks.
Confidently Incorrect.
Etymology: originally, the final shot in an archery match, hence the figurative sense of “result, issue, conclusion” (c. 1600).
Definitions of upshot. noun. a phenomenon that follows and is caused by some previous phenomenon. synonyms: consequence, effect, event, issue, outcome, result.
I initially thought the same as Tom, and I’m also from the US. However, it is an archery term that refers to the final shot of a tournament. It has no correlation to positivity.
https://www.etymonline.com/word/upshot
OTA updates for vehicles should be ilegal. companies keep doing this, make it hard for the common tinkerer to slightly modify their things, but make it so that it is easy for an experienced hacker to easily fk up with the bms, come on…
It is mandatory as stated by UN R156 and described in ISO 24089:2023.
UN R156 does not mandate OTA updates. It mandates “uniform provisions concerning the approval of vehicles with regards to software update and software updates management system” , and ” applies to vehicles of Categories1 M, N, O, R, S and T that permit software updates”.
In other words, it standardizes some legal procedures surrounding certain vehicals that already provide OTA updates, but does not mandate OTA updates themselves
And how can you be complied with R155 without R156? Will somebody visit every sold car and stick a USB drive to it? Who will pay for that?
No. The customer needs to bring it to the dealer for the update. This has been a thing for quite a while now.
Back in 1992 the novel snowcrash predicted motorcycles that receive software updates that make them crash. Not the character with the nuclear torpedo sidecar, although he was pretty cool and probably coming to a street near you soon, it was the time Mr Hiro bought a fancy motorcycle and all the fancy accessories and it went quite well until the motorcycle’s firmware crashed. Decades later all they cyberpunk novels blurrrr together along with IRL so who knows could have been a different novel in the snowcrash universe. It would make a great movie or miniseries however I would not want to see the usual suspects intentionally subvert it so maybe its for the best that it was never made into a movie.
I think there was also some form of gatling gun, that was shipped before the firmware was ready, it got an OTA as well.
Great book. I always thought the Google founders read it like a bible.
It’s a problem with modern cars if you don’t allow this. Everything is connected. Software is constantly updated for self driving, for fixing bugs etc. Almost those so-called recalls Tesla had were just OTA updates with only a few things that required an actual mechanic to look at it. With more old-school vehicles like the average Stellantis car, it’s much more common to have to go back for physical recalls. The constant need for new updates for self driving and other things that are totally linked within the cars systems requires frequent updates.
Don’t get me wrong, I’m not advocating for it. I’m fully anti electric cars. I think they are horrible for an entire notebook full of reasons. I’m looking into Austin 7’s from the 1920’s/1930’s. A Ford Model A would be nice too. I want one I can use as a daily driver and keep my Toyota on the side for long trips where I need to drive a bit faster.
Zero is a terrible company anyways. Deceptive practices, hugely anti-RTR.
Ready to Ride? Ready to Race? These were already acronyms
Right To Repair.
Rags to riches (a C64 game from a long time ago), Royal Tank Regiment (British), Right to Represent (recruiting authorization), Record-to-Report (financial accounting process), Ready-To-Receive (IBM VTAM), Ready to Rock, Real-Time Rendering, Rubber Tramp Rendezvous (Arizona event), should I go on.
You can also visit: https://www.acronymfinder.com/RTR.html
When looking at the number of entries you’ll suddenly realize how useless acronyms are if you never heard of them before or are clueless about the context in which they are used.
Thank you. Going by context clues: motorized ride on equipment, and electric powered RC (remote/radio control), the two I picked were the closest match. Boutique class equipment like Lamborghini or Zero is rarely very repairable (arguably the venn diagram for Lambo/Zero owners would have a significant cross over, due to income alone).
HaD’s policy is not to explain acronyms because if you need it explained you’re a noob or a script kiddie.
right to repait, i bet
Messed up the formatting but you get the idea
Good news, the fact these are expensive and rare means there are probably only a few dozen being ridden regularly.
Sounds like disabling the kickstand switch may be the simplest method to prevent it being hacked, although killing the wireless would be a tad more hardened.
The researchers did not seem familiar at all with the concept of CANBus, they claimed that the “OBD port” was the access to the bus, where any device on the bus would have access to it, and on a modern vehicle this could include the headlights, taillights (or on a motorcycle the dash may be particularly accessible). Bringing this full circle to a classic theft method seen in the ‘reboot’ of gone in sixty seconds, where the car thieves broke into a car using a simpler electrical hack on a marker light. (Off topic, the reboot of ‘Fast and Furious’ was much more successful. And yes The Fast and the Furious was a 1954 movie. Not to be confused with the 1939 mystery)
I’m not sure you can have it both ways. You either have something you can work on, or you have a system that only the manufacturer can change. I’d rather have an open system that I can work on, even if it means some hypothetical malicious actor could set my battery on fire. I think the author understated the difficulty of accessing the bike via BLE or CAN in any case.
Over The Air updates should never be allowed (planes/trains/cars/bikes/etc.). Plug in to update software. Seems ‘smart’ to me … Attack surface just got a lot smaller. But even routers and such, are pushing apps to ‘update’ from your phone :rolleyes: . And of course the phone itself (another story)… Should be plug in, hear the ‘click’, and then update. Period. Convenience seems to trump common sense.