Weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) of the Indian Motorcycle Scout Bobber + Tech 2025…
The Indian Motorcycle Scout Bobber + Tech 2025 model has a weak authentication issue between the Wireless Control Module and the Engine Control Module. An adjacent-network attacker can recover the ECM immobilizer secret by observing a single seed/key exchange, allowing them to start the engine. The authentication mechanism uses a reversible operation instead of a cryptographic challenge-response.
Weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the per-vehicle ECM immobilizer secret by passively observing a single seed/key exchange. The WCM derives its response using a reversible, non-cryptographic operation rather than a cryptographic challenge-response, so the persistent immobilizer secret can be reconstructed from one captured exchange. With this secret the attacker can authenticate to the ECM independently of the WCM and start the engine, defeating the immobilizer. Specific protocol details have been withheld pending vendor remediation.
Owners of the Indian Motorcycle Scout Bobber + Tech 2025 model are at medium risk of vehicle theft due to weak authentication between modules.
Monitor & Review
Low severity — keep this CVE on your radar and patch during routine maintenance.
What should I do?
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
0
Affected Products
1
References
CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Exploitability
Impact