Security researchers reveal how an electric motorcycle system could be hacked through software and OTA updates.
Years ago people joked that someday we’d be able to download a car. At the time it sounded ridiculous. Later, Zero Motorcycles even stated in its FAQ that hacking an electric motorcycle wasn’t possible.
Security researcher Persephone Karnstein and collaborator Mitchell Marasch decided to look closer at that claim—and what they found suggested the opposite. According to Karnstein, the system behind one electric motorcycle turned out to be something of a securty nightmare.
Their findings were presented at BSides Seattle 2026, and the full technical breakdown later appeared online. The write-up dives into far more detail than a short summary could cover, from the chemicals needed to remove protective resin from a circuit board to the scripts used to decompile firmware and analyze the bike’s software.
Even readers who aren’t deeply into cybersecurity might find the investigation interesting. The process of reverse-engineering modern connected vehicles shows just how complex—and sometimes fragile—these systems can be.
At the center of the issue wasn’t just the motorcycle hardware. The bike communicates with a smartphone app that interacts with its electronics and receives over-the-air software updates. That connection opened a path researchers were able to explore.
One detail involved the vehicle identification number. Some systems appeared to expect code tied to a VIN. However, the researchers say they discovered the system didn’t always require a real VIN—just something formatted like one. That small loophole helped them move further into the system’s software structure.
Eventually, they were able to gain deep access to the bike’s firmware, effectively giving them broad control over many onboard systems. From a security standpoint, that level of access raised serious questions about how connected motorcycles should handle authentication and updates.
In theory, a malicious update pushed through an OTA system could alter important vehicle behavior. Instead of physically tampering with a motorcycle, someone might attempt to change software settings remotely. Researchers even noted that certain systems—like battery management—also received OTA updates, which adds another layer of complexity.
Importantly, the researchers emphasized that the malware examples discussed were purely conceptual and never deployed. The goal was to demonstrate possible vulnerabilities, not exploit them in the real world.
None of this means electronic motorcycles themselves are a bad idea. Modern vehicles—cars and bikes alike—rely heavily on software and networked systems. Many innovative projects depend entirely on digital control to function.
The real lesson is about execution. Connected technology requires strong security design from the start. Without it, even well-engineered hardware can develop weak points.
In other words, the problem isn’t electric motorcycles—it’s when the sofware protecting them isn’t built carefully enough.