Zero Motorcycles Firmware - Bluetooth Vulnerability Exposed

What Happened

A critical vulnerability has been identified in the firmware of Zero Motorcycles, specifically affecting versions 44 and earlier. This flaw allows attackers to exploit Bluetooth connectivity, enabling them to pair their devices with the motorcycle. Once paired, they can access all Bluetooth functions, including the ability to change the motorcycle's firmware.

The Flaw

The vulnerability, designated as CVE-2026-1354, stems from a key exchange issue without entity authentication. This means that an attacker can forcibly pair their device with the motorcycle, provided they are in close proximity and understand the pairing process. The attack requires the motorcycle to be in Bluetooth pairing mode, and the attacker's device must remain connected throughout the firmware update process.

What's at Risk

This vulnerability poses a significant risk to users, as it allows unauthorized individuals to upload potentially malicious firmware to the motorcycle. Given that motorcycles are part of critical infrastructure in the transportation sector, this could lead to severe safety issues. The potential for unauthorized control over the vehicle raises alarms about the security of connected systems in transportation.

Patch Status

Zero Motorcycles is aware of this vulnerability and plans to release a firmware update in May 2026 to address the issue. Users are advised to update their firmware to the latest version as soon as it becomes available.

Immediate Actions

Conclusion

This vulnerability highlights the importance of robust security measures in connected vehicles. As technology evolves, so must our approaches to securing critical infrastructure against potential threats. Users must stay informed and proactive in managing their devices' security.