A talk by Persephone Karnstein and Mitchell Marasch at BSides Seattle 2026, from Bureau Veritas Cybersecurity.

The research began as a routine security assessment of the Android app used by Zero Motorcycles, a manufacturer of electric motorcycles that support OTA firmware updates over Bluetooth and 4G LTE. It quickly became clear that the attack surface extended far beyond the mobile app and included the FOTA server, Bluetooth pairing protocols, the CAN bus, and the ECU firmware itself.

Ultimately, the researchers demonstrated a full attack chain — from APK decompilation to signing arbitrary firmware and implanting a proof-of-concept C2 payload into unused MCU memory regions. The implant uses the bike's built-in 4G modem to beacon out and receive commands, enabling remote control of braking, throttle, and power while the motorcycle is in motion.

🔗 Article: https://persephonekarnstein.github.io/post/zero-days/

💬 Discuss

Hacking an e‑bike: from APK to C2 in firmware