User guide
E-scooter cybersecurity engineering: ETSI EN 303 645 V3.2.0:2024-12 baseline (13 provisions for consumer IoT — no default password, vulnerability disclosure RFC 9116, secure update, secure storage, secure communication), ISO/SAE 21434:2021 road-vehicle cybersecurity engineering (TARA threat analysis + risk assessment), ISO/SAE 24089:2023 software update engineering, UNECE R155 CSMS (Cybersecurity Management System) mandatory for new vehicle type-approvals from 07-2022, UNECE R156 SUMS (Software Update Management System), EU Cyber Resilience Act 2024/2847 (Regulation 2024-10-23, applicability 2027-12-11 + reporting obligations 2026-09-11), NIST SP 800-193:2018 Platform Firmware Resilience Guidelines (Protection-Detection-Recovery RoT), NIST SP 800-183 IoT Networks of Things, IEC 62443-4-1/-4-2 secure product development lifecycle, Bluetooth Core 5.4 LE Secure Connections with ECDH P-256 (replacing Just Works as baseline), IEEE 802.11i WPA3-Personal SAE Dragonfly key exchange, RFC 9116 security.txt responsible-disclosure, attack surface (BLE pairing Just Works/Numeric Comparison/Passkey Entry/OOB, Bluetooth protocol attacks KNOB CVE-2019-9506 + BIAS CVE-2020-10135 + BLURtooth CVE-2020-15802 + BLESA CVE-2020-9770, firmware via JTAG/SWD/USB DFU, motor controller CAN bus, mobile app↔cloud TLS, OTA update channel signing, GPS spoofing, smart-battery BMS handshake, hardware UART debug eFuse), mitigation (LE Secure Connections ECDH P-256 + mutual TLS certificate pinning + secure boot signed bootloader + signed firmware AES-256 + anti-rollback monotonic counter + HSM/secure element ATECC608B/NXP A1006/SE050 + SBOM SPDX CycloneDX + RFC 9116 security.txt + Coordinated Vulnerability Disclosure ISO/IEC 29147:2018 + penetration testing ISTQB), incidents (Xiaomi M365 BLE anti-lock bypass 2019 Zimperium Rani Idan, Lime BLE replay attack 2019, Bird/Lime API IDOR 2020, Ninebot ES1/ES2/ES4 BLE pwd 888888 vulnerability, Tier/Voi unauthorized unlock 2022, hoverboard CVE catalogue 2018)
Engineering deep-dive into e-scooter cybersecurity as the fourth cross-cutting infrastructure axis — parallel to [fastener engineering as joining-axis](@/guide/fastener-and-bolted-joint-engineering.md), [thermal management as heat-dissipation axis](@/guide/thermal-management-engineering.md), and [EMC/EMI as interference-mitigation axis](@/guide/emc-emi-engineering.md). Covers: 10-row standards matrix (ETSI EN 303 645 V3.2.0:2024-12 consumer IoT baseline, ISO/SAE 21434:2021 road-vehicle TARA, ISO/SAE 24089:2023 SW update engineering, UNECE R155 CSMS, UNECE R156 SUMS, EU CRA 2024/2847, NIST SP 800-193 firmware RoT, IEC 62443-4-1 secure SDLC, Bluetooth Core 5.4 LE Secure Connections, IEEE 802.11i WPA3-SAE); 7-row attack-surface matrix (BLE pairing methods + KNOB/BIAS/BLURtooth/BLESA + firmware JTAG/SWD/DFU + mobile↔cloud TLS + OTA signing + GPS spoofing + smart-battery handshake); 6-row mitigation matrix (LE Secure Connections + mutual TLS + secure boot + signed firmware + anti-rollback + HSM/SE); 6-row real-incident matrix (Xiaomi M365 2019 + Lime BLE 2019 + Bird IDOR 2020 + Ninebot pwd 888888 + Tier/Voi 2022 + hoverboard catalogue); 8-step DIY security check; 6-step DIY remediation; EU Cyber Resilience Act timeline (2024-12-10 entry into force, 2026-09-11 reporting obligations, 2027-12-11 full applicability); 16 numbered sections.