I Want Zero Misunderstandings

Disclaimer: The opinions represented in this article are my own and do not reflect those of any employers or research partners past, current, or future.

Introduction

In cybersecurity, it is important to be precise and accurate about findings. Security researchers especially have an obligation to fight against inaccuracies because it muddies the process of risk management and has the potential to affect the credibility of the researchers involved.

Starting in late 2024, my then-coworker and I embarked on a security research project into Zero motorcycles sponsored by my then-employer Bureau Veritas Cybersecurity North America. Because this was a work-owned project I have previously refrained from posting about it on my own blog. However, it has recently received some attention with the publication of CVE-2026-1354 and unfortunately that attention has come with a lot of inaccuracies. Inaccuracies which are now associated with my name.

The Actual Vulnerability

By reverse-engineering the main bike board firmware blobs for newer Zero motorcycles that support over-the-air updates, we discovered that the bikes do not implement firmware signature verification. That’s it. That’s the vulnerability.

The risk of this is that you could build malicious, unsigned firmware and upload it to certain Zero motorcycles. The main mitigating factor is that you have to trigger an install. This could be done through:

• Tricking people into installing and using a malicious updater app (hey install this app, it will unlock all of your bike’s features)
• Compromising the over-the-air update server itself

You could also just install it manually if you have access to the bike and its key, but at that point you could just steal it or sabotage it in less technically complicated ways.

I think this is a serious enough issue to be worth addressing, especially when the main bike board controls such safety-critical features, but yeah it’s ultimately a defense-in-depth vulnerability.

SecurityWeek

The article that, in my opinion, has resulted in a lot of the inaccuracies is this SecurityWeek Publication that covered this CVE.

It starts with the assertion that:

“[…] SecurityWeek has reached out to the researchers who reported the flaws to find out more about their potential real-world impact”

Perhaps for the Yadea scooters this is correct, but this is not true for the Zero research. Ultimately, this is research owned by Bureau Veritas so that is fine, but some of the following information would have been more accurate if the actual researchers were contacted.

Let us start with this quote:

“Zero motorcycles have a Bluetooth pairing mode that activates when you hold the Mode button for about five seconds, or if the bike has simply never been paired before.”

As far as I am aware you always have to go through the full pairing process. I have never seen evidence that the bike defaults to a discoverable state. That would be a huge diffence in real-world exploitability so it is important to be accurate here.

The quote continues:

“During that window, the key exchange doesn’t actually verify who is connecting. An attacker standing within Bluetooth range could jump in and pair their own device to the bike, and the motorcycle would accept it as a legitimate connection.”

This part is probably true, but this is just a standard risk with how Bluetooth pairing typically happens. This could be mitigated with a pairing pin, but what is the attack chain for this?

1. An attacker with a bunch of interception tech just happens to be near a bike when the rider is pairing their phone for the first time
2. The attacker makes a firmware update request
3. The user doesn’t realize their phone got disconnected
4. The user lets the entire update process happen while the attacker stands somewhere nearby

I believe this to be a wildly unlikely attack scenario. More importantly, it muddies the issue by bringing the Bluetooth pairing process in, which is mostly being speculated about, and is not the real vulnerability.

“The motorcycle’s main microcontroller controls safety-critical features which includes the torque output, regenerative braking, the contactors that deliver power to the motor, and battery management.”

Battery management is controlled by a separate board. This one can also be updated over-the-air, but it needs to be done separately.

You’re Not Off the Hook Either, Zero

In this article I have mostly described factors that limit the exploitability of these motorcycles. To be clear, this is because I want to clarify research I was involved in, not because I am trying to vindicate Zero Motorcycles.

They intentionally ignored us when attempting to report the issue despite our good faith efforts to privately disclose this vulnerability. More importantly, failing to implement basic, industry-standard security features like signature validation on bikes that riders are trusting with their lives is a really bad look.