Indian Motorcycle Scout Bobber Infotainment System PIN Bypass Vulnerability

A vulnerability in the Infotainment system of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The issue arises because the Infotainment system uses the presence of Wireless Control Module (WCM) traffic during boot as an indicator of whether an immobilizer is installed. If no WCM messages are detected, the system skips the PIN entry and goes straight to the user interface. An attacker can exploit this by silencing the WCM during boot, for example, using a CAN bus-off technique, to present an unlocked Infotainment system without entering a PIN.

Impact

Exploitation of this vulnerability allows for unauthorized access to the Infotainment system, bypassing security measures intended to protect user data and system functionality.

Reproduction

To reproduce this vulnerability, an attacker must disrupt the WCM traffic during the Infotainment system's boot process. This can be achieved by applying a CAN bus-off technique, which silences the WCM messages that the system relies on to determine whether an immobilizer is present. Once the WCM traffic is interrupted, the Infotainment system will bypass the PIN entry screen and display the normal user interface, fully unlocked.