HIGH SEVERITY CVSS 7.3

Anyone With a $20 Radio Can Steal Your Yadea Electric Bike — Here's Why

Security Desk  |  CVE-2025-70994  |  weak-authentication replay-attack rf-protocol keyless-entry

Imagine locking your $1,500 electric bike outside a coffee shop, walking in, and watching a stranger ride it away — not because they picked the lock, but because they recorded the invisible radio signal your key fob sent thirty seconds ago.

Who Is At Risk — And How Many People Is That?

Yadea is not a niche brand. It is the world's largest manufacturer of electric two-wheelers by unit sales, shipping tens of millions of vehicles per year across Asia, Europe, Australia, and a rapidly expanding North American market. The T5 is one of its flagship commuter e-bikes, targeted squarely at urban riders who use it as a daily car replacement. Every T5 manufactured from 2024 onward carries this flaw by default, meaning hundreds of thousands of bikes currently locked to racks, parked in garages, and leaned against office buildings are potentially vulnerable.

The financial exposure is real: T5 models retail between $1,200 and $1,800 depending on region, and e-bike theft is already a fast-growing crime category in every major city. Beyond the physical theft angle, this class of vulnerability has broader implications for the emerging category of "smart micromobility" — a market projected to exceed $60 billion by 2030. If the security foundations are this weak at the leading manufacturer, the entire sector has a credibility problem.

What Is Actually Happening — In Plain English

Your Yadea T5 key fob works by broadcasting a short radio message whenever you press the unlock button. Think of it like a very short, very specific knock on a door — the bike's receiver hears it, recognizes the pattern, and opens up. The problem is that this "knock" is always identical. Every single time you press that button, your fob sends the exact same radio signal. It never changes.

An attacker equipped with a cheap software-defined radio — the kind of USB stick you can buy online for $20 to $30 — can sit nearby, invisibly record that signal while you unlock your bike, and replay it later at will. They don't need to know what the signal means. They don't need to decode it or understand it. They just need to play it back, the same way you might record a TV remote's button press with your phone and trigger it later. The bike has no way to distinguish the original transmission from the recorded copy, because it never checks whether it has heard that exact signal before. One recording is all it takes — forever.

This attack requires no special expertise, no expensive equipment, and no physical contact with the bike. A bad actor could casually walk past you in a bike lane, record your unlock event on their phone-sized radio, and return hours later to ride away unchallenged. There is no alarm triggered, no unusual event logged, no indication anything went wrong. To the bike, it looks like a completely normal and authorized unlock.

The Technical Anchor: EV1527 Fixed-Code RF Protocol

The EV1527 chip is a 1990s-era encoder IC designed for simple, low-cost remote controls — garage doors, alarm systems, cheap car accessories. It encodes a fixed 20-bit address and 4-bit data field into a repeating transmission. It was never designed with cryptographic security in mind. Industry best practice for automotive-grade keyless entry has used rolling codes — signals that change with every press using a synchronized counter — since the mid-1990s. The Yadea T5's implementation skips this entirely. This is not a subtle edge-case bug; it is a fundamental architectural choice to use a protocol that the security community has known to be exploitable for over a decade.

Real-World Context: Discovered, Disclosed, and What We Know About Exploitation

As of publication, there is no confirmed evidence of this vulnerability being actively exploited in the wild, and no known theft campaigns have been publicly attributed to CVE-2025-70994. However, "no confirmed exploitation" is not the same as "safe." The Flipper Zero — a consumer-friendly, pocket-sized radio hacking tool that went viral on social media — has made replay attacks against fixed-code RF systems trivially accessible to non-technical users. Tutorial videos demonstrating exactly this class of attack on other EV1527-based systems number in the hundreds of thousands of views on YouTube and TikTok.

The gap between "technically possible" and "happening on your street corner" is closing rapidly for this vulnerability class. Security researchers familiar with RF exploitation will recognize immediately that the barrier to exploitation here is lower than almost any other HIGH-rated CVE published this year. No memory corruption, no shellcode, no exploit chain — just a record button and a replay button.

What You Should Do Right Now

The Bigger Picture

The Yadea T5 vulnerability is not an isolated incident. It is a symptom of a broader problem in the consumer micromobility industry: security is treated as an afterthought, and cost-cutting leads manufacturers to reach for the cheapest RF component on the shelf regardless of its known limitations. The EV1527 protocol costs fractions of a penny more than a secure alternative. That is the margin at which rider security was compromised.

"Rolling code systems have been the baseline expectation in automotive keyless entry since 1995. Using a fixed-code protocol in a new product in 2024 is not a mistake — it is a decision."

As electric bikes cross the threshold from hobbyist gear to essential urban infrastructure, the security bar must rise to match. Until it does, a U-lock and a healthy skepticism of any "smart" lock feature are your best defenses.

Disclosure note: This article is based on the published CVE record for CVE-2025-70994. Yadea was contacted for comment prior to publication. This article will be updated if the manufacturer responds with a remediation plan. No reproduction of any specific signal captures or attack tooling configurations is included in this reporting.