Scout Bobber Tech
Monthly
PIN screen authentication bypass in the 2025 Indian Motorcycle Scout Bobber + Tech Infotainment / Digital Round display allows a physically proximate attacker to reach the fully unlocked user interface without entering a PIN. The system's boot-sequence logic (CWE-696) uses the mere presence of Wireless Control Module (WCM) CAN bus traffic as a proxy for immobilizer-fitment, and silently drops the PIN gate when no WCM messages appear - a condition an attacker can manufacture by suppressing the WCM via a CAN bus-off technique during the boot window. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.
PIN entry bypass in the Indian Motorcycle Scout Bobber + Tech 2025 infotainment system allows an attacker with physical proximity to the vehicle to access the fully unlocked infotainment interface without entering the correct PIN. The root cause (CWE-696, Incorrect Behavior Order) is that the system treats the presence of Wireless Control Module (WCM) CAN bus traffic during its startup boot window as a proxy for immobilizer detection, and skips PIN enforcement entirely when no WCM messages are observed - a condition an attacker can manufacture by silencing the WCM. Reported by ASRG with no public exploit code and no CISA KEV listing; specific timing and protocol details have been withheld pending vendor remediation.
CAN bus error-frame injection on the 2025 Indian Motorcycle Scout Bobber + Tech defeats the Wireless Control Module (WCM)-enforced immobilizer, enabling vehicle operation without legitimate anti-theft deactivation. An attacker within physical or adjacent proximity drives the WCM's CAN controller into bus-off state by incrementing its transmit error counter past the threshold, permanently silencing the WCM's periodic shutdown command. Because peer ECUs treat WCM silence as benign rather than a security event - a fail-open design - the motorcycle becomes fully operable as though the immobilizer were properly unlocked. No public exploit code has been identified at time of analysis; ASRG is withholding full protocol details pending vendor remediation, reported under CVE-2026-49316.
Anti-theft bypass in the 2025 Indian Motorcycle Scout Bobber + Tech allows a physical attacker who can access the Wireless Control Module wiring harness to leave the motorcycle fully operable without ever supplying a valid rider PIN. The root flaw is a fail-open ECU design: the peer ECU cannot distinguish an authenticated WCM shutdown pulse from a simple open-circuit condition caused by disconnecting the relevant wire pair, so wire interruption silently suppresses the immobilizer. Reported by ASRG under coordinated disclosure with connector details withheld; no public exploit has been identified and the vulnerability is not confirmed actively exploited (CISA KEV).
Permanent denial-of-service against the 2025 Indian Motorcycle Scout Bobber + Tech's Wireless Control Module (WCM) allows an adjacent-network attacker with write access to the in-vehicle network to irreversibly immobilize the motorcycle by deliberately tripping an immobilizer lockout counter that persists across power cycles. The WCM's lockout counter accepts increments from any unauthenticated message without session binding, meaning a small number of crafted in-vehicle network frames is sufficient to trigger a permanent lockout condition requiring dealer intervention to resolve. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog, though the attack technique is straightforward given adjacent network access.
Immobilizer bypass in the 2025 Indian Motorcycle Scout Bobber + Tech (Polaris Inc.) allows a physically adjacent attacker to permanently defeat the engine immobilizer by passively capturing a single WCM-to-ECM seed/key exchange. The Wireless Control Module derives its authentication response using a reversible, non-cryptographic operation, meaning the persistent per-vehicle ECM immobilizer secret can be mathematically reconstructed from one captured exchange - no brute force required. Once recovered, the secret enables independent ECM authentication and engine start without the physical key fob, nullifying the immobilizer entirely. No public exploit code has been identified at time of analysis, and no patch has been released; specific protocol details have been withheld by the researcher pending vendor remediation.
The Wireless Control Module (WCM) in the 2025 Indian Motorcycle Scout Bobber + Tech exposes the user-set vehicle unlock PIN through a fatally weak authentication design in the Infotainment Digital Round display. The display's PIN verification relies on a non-cryptographic computation, meaning a passive observer who captures a single complete authentication exchange from the in-vehicle network can mathematically recover the exact PIN - no brute-force or active interaction required. Reported by ASRG against a product manufactured by Polaris Inc., this vulnerability defeats the motorcycle's primary user-authentication control; it is not listed in CISA KEV and no public exploit code has been identified at time of analysis.
PIN screen authentication bypass in the 2025 Indian Motorcycle Scout Bobber + Tech Infotainment / Digital Round display allows a physically proximate attacker to reach the fully unlocked user interface without entering a PIN. The system's boot-sequence logic (CWE-696) uses the mere presence of Wireless Control Module (WCM) CAN bus traffic as a proxy for immobilizer-fitment, and silently drops the PIN gate when no WCM messages appear - a condition an attacker can manufacture by suppressing the WCM via a CAN bus-off technique during the boot window. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.
PIN entry bypass in the Indian Motorcycle Scout Bobber + Tech 2025 infotainment system allows an attacker with physical proximity to the vehicle to access the fully unlocked infotainment interface without entering the correct PIN. The root cause (CWE-696, Incorrect Behavior Order) is that the system treats the presence of Wireless Control Module (WCM) CAN bus traffic during its startup boot window as a proxy for immobilizer detection, and skips PIN enforcement entirely when no WCM messages are observed - a condition an attacker can manufacture by silencing the WCM. Reported by ASRG with no public exploit code and no CISA KEV listing; specific timing and protocol details have been withheld pending vendor remediation.
CAN bus error-frame injection on the 2025 Indian Motorcycle Scout Bobber + Tech defeats the Wireless Control Module (WCM)-enforced immobilizer, enabling vehicle operation without legitimate anti-theft deactivation. An attacker within physical or adjacent proximity drives the WCM's CAN controller into bus-off state by incrementing its transmit error counter past the threshold, permanently silencing the WCM's periodic shutdown command. Because peer ECUs treat WCM silence as benign rather than a security event - a fail-open design - the motorcycle becomes fully operable as though the immobilizer were properly unlocked. No public exploit code has been identified at time of analysis; ASRG is withholding full protocol details pending vendor remediation, reported under CVE-2026-49316.
Anti-theft bypass in the 2025 Indian Motorcycle Scout Bobber + Tech allows a physical attacker who can access the Wireless Control Module wiring harness to leave the motorcycle fully operable without ever supplying a valid rider PIN. The root flaw is a fail-open ECU design: the peer ECU cannot distinguish an authenticated WCM shutdown pulse from a simple open-circuit condition caused by disconnecting the relevant wire pair, so wire interruption silently suppresses the immobilizer. Reported by ASRG under coordinated disclosure with connector details withheld; no public exploit has been identified and the vulnerability is not confirmed actively exploited (CISA KEV).
Permanent denial-of-service against the 2025 Indian Motorcycle Scout Bobber + Tech's Wireless Control Module (WCM) allows an adjacent-network attacker with write access to the in-vehicle network to irreversibly immobilize the motorcycle by deliberately tripping an immobilizer lockout counter that persists across power cycles. The WCM's lockout counter accepts increments from any unauthenticated message without session binding, meaning a small number of crafted in-vehicle network frames is sufficient to trigger a permanent lockout condition requiring dealer intervention to resolve. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog, though the attack technique is straightforward given adjacent network access.
Immobilizer bypass in the 2025 Indian Motorcycle Scout Bobber + Tech (Polaris Inc.) allows a physically adjacent attacker to permanently defeat the engine immobilizer by passively capturing a single WCM-to-ECM seed/key exchange. The Wireless Control Module derives its authentication response using a reversible, non-cryptographic operation, meaning the persistent per-vehicle ECM immobilizer secret can be mathematically reconstructed from one captured exchange - no brute force required. Once recovered, the secret enables independent ECM authentication and engine start without the physical key fob, nullifying the immobilizer entirely. No public exploit code has been identified at time of analysis, and no patch has been released; specific protocol details have been withheld by the researcher pending vendor remediation.
The Wireless Control Module (WCM) in the 2025 Indian Motorcycle Scout Bobber + Tech exposes the user-set vehicle unlock PIN through a fatally weak authentication design in the Infotainment Digital Round display. The display's PIN verification relies on a non-cryptographic computation, meaning a passive observer who captures a single complete authentication exchange from the in-vehicle network can mathematically recover the exact PIN - no brute-force or active interaction required. Reported by ASRG against a product manufactured by Polaris Inc., this vulnerability defeats the motorcycle's primary user-authentication control; it is not listed in CISA KEV and no public exploit code has been identified at time of analysis.