Scott Sheahan

**Name of the Vulnerable Software and Affected Versions** Indian Motorcycle Scout Bobber + Tech 2025 model year **Description** Weak authentication in the Wireless Control Module (WCM) allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The Infotainment Digital Round display computes its response using a non-cryptographic operation instead of a cryptographic challenge-response, making the PIN mathematically derivable from one captured exchange and bypassing the primary user-authentication control. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Indian Motorcycle Scout Bobber + Tech 2025 model year **Description** Weak authentication exists between the Wireless Control Module (WCM) and the Engine Control Module (ECM). An adjacent-network attacker with read access to the in-vehicle network can recover the per-vehicle ECM immobilizer secret by passively observing a single seed/key exchange. This is possible because the WCM uses a reversible, non-cryptographic operation instead of a cryptographic challenge-response to derive its response, allowing the persistent immobilizer secret to be reconstructed from one captured exchange. An attacker possessing this secret can authenticate to the ECM independently of the WCM to start the engine, effectively bypassing the immobilizer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Indian Motorcycle Scout Bobber + Tech 2025 model year **Description** Uncontrolled resource consumption in the Wireless Control Module (WCM) allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize the motorcycle. The WCM implements a brute-force lockout on the immobilizer authentication algorithm; however, the lockout counter can be reached by any unauthenticated message, lacks session binding, and does not reset after a power cycle. An attacker can trigger this lockout using a small number of crafted frames, rendering the vehicle un-startable until it receives dealer service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.