Pwning Electric Motorcycles
Mitchell Marasch, Panie
BSides Seattle 2026 · Day 2 · Track 1
Mitchell and Panie, security researchers sponsored by Veraritoss, present their deep-dive into the firmware security of an electric motorcycle manufacturer they pseudonymously call "Moto Motorcycles" due to ongoing disclosure constraints. Despite the manufacturer's aggressive efforts to prevent reverse engineering -- including potting circuit boards in polyurethane resin, refusing to sell parts without VIN numbers, and ignoring five months of disclosure attempts -- the researchers found critical vulnerabilities that could allow an attacker to remotely flash malicious firmware, control motor torque at highway speeds, disable safety systems, and potentially cause serious injury or death.
AI review
Outstanding vulnerability research on safety-critical vehicle firmware with a complete attack chain from app reverse engineering through firmware forgery to physical safety exploitation. The researchers overcame significant obstacles -- potted hardware, VIN-gated parts, and a completely unresponsive manufacturer -- to identify five critical vulnerabilities including static firmware signing salts, hardcoded bearer tokens, unauthenticated CANbus, and the absence of asymmetric cryptography. The potential to cause rider injury or death through torque manipulation at highway speeds elevates this…