Indian Motorcycle Scout Bobber Wireless Control Module Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year. This vulnerability allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize the motorcycle. The issue arises because the WCM enforces a brute-force lockout on the immobilizer authentication algorithm. However, the lockout counter can be manipulated by any unauthenticated message, lacks session binding, and does not reset after a power cycle. An attacker can exploit this by sending a small number of crafted frames to trigger the lockout, rendering the motorcycle unstartable until serviced by a dealer.

Impact

Exploitation of this vulnerability leads to the motorcycle being permanently immobilized, requiring dealer intervention to restore functionality.