Welp, that’s an opsec / electronics / micromobility crossover that I wasn’t expecting at all.

BTW, in response to a certain comment, OTA updates for vehicle are not mandatory per UN R156 nor ISO 24089:2023. Those regulations specify that if an automobile is shipped with an OTA update capability, then the manufacturer must implement certain security measures to protect the OTA mechanism from attacks or manipulation. This is, quite frankly, common sense: a vehicle that is type-certified for sale should not have a way to render its type-certificate invalid, by way of something that is within the manufacturer’s control.

If a manufacturer doesn’t implement OTA updates at all, then they obviously don’t need to comply with any of those requirements. That said, most automobile regulations don’t tend to apply automatically to motorcycles, so perhaps that’s why Zero Motorcycle dropped the ball. Still, it points to the problem that the regulation sought to address: OTA updates are badly engineered, result in harm that only accrues to the consumer, and there’s no accountability post-sale.