Indian Scout 2025: WCM-to-ECM weak authentication enables immobilizer bypass

Weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the per-vehicle ECM immobilizer secret by passively observing a single seed/key exchange. The WCM derives its response using a reversible, non-cryptographic operation rather than a cryptographic challenge-response, so the persistent immobilizer secret can be reconstructed from one captured exchange. With this secret the attacker can authenticate to the ECM independently of the WCM and start the engine, defeating the immobilizer.

Specific protocol details have been withheld pending vendor remediation.

Recommended remediation:

Replace the non-cryptographic authentication response with HMAC-SHA-256 or ECDSA over a fresh nonce, ECU identifier, and session counter; provision per-vehicle symmetric keys in tamper-resistant secure elements on both authenticating modules.

Scott Sheahan, Rustic Security LLC (finder)

2025-03-26: Reported to Indian Motorcycle (Polaris Inc.) by Rustic Security LLC under responsible disclosure

2026-05-29: Public disclosure by ASRG