Yadea T5 Electric Bicycles Keyless Entry System Weak Authentication Vulnerability

A vulnerability exists in the keyless entry system of Yadea T5 Electric Bicycles manufactured in or after 2024. The issue arises from a weak authentication mechanism that uses the EV1527 fixed-code RF protocol without rolling codes or cryptographic challenge-response features. This flaw allows a local attacker to intercept legitimate key fob transmissions and replay them, leading to unauthorized operation of the vehicle.

Impact

Exploitation of this vulnerability allows for unauthorized access and operation of the affected bicycle.

Reproduction

The vulnerability can be reproduced by intercepting a legitimate key fob transmission using a passive signal analyzer. Once the 20-bit vehicle address is captured, it can be used to forge a command by appending the hex code for a high-sensitivity action, such as starting the vehicle, and broadcasting the synthesized signal. The bicycle will recognize the forged command as valid and execute it.

Remediation

There is no global fix available from the manufacturer. Vehicle owners are advised to disregard the electronic keyless entry system for security purposes and use heavy-duty physical locks instead.