Zero Motorcycles firmware versions 44 and prior enable an attacker to
forcibly pair a device with the motorcycle via Bluetooth. Once paired,
an attacker can utilize over-the-air firmware updating functionality to
potentially upload malicious firmware to the motorcycle. The motorcycle
must first be in Bluetooth pairing mode, and the attacker must be in
proximity of the vehicle and understand the full pairing process, to be
able to pair their device with the vehicle. The attacker's device must
remain paired with and in proximity of the motorcycle for the entire
duration of the firmware update.
Zero Motorcycles has investigated this report and cautions users to pair
their mobile device to their vehicle in a safe location where they can
be sure no one else will try to pair at the same time. Once initiated,
complete the full pairing process and confirm it is successful. Store
physical keys in a secure location and do not leave the bike unattended
with the key in the "ON" position. Zero Motorcycles plans to address
this issue in a firmware update scheduled for release in May 2026.
Update the firmware to the latest available version.