Nyon Unchained: Forensic Analysis of Bosch's eBike Board Computers

TL;DR

This paper presents a forensic analysis of Bosch's Nyon eBike computers, revealing vulnerabilities and data access methods across two models, highlighting privacy and security implications for modern connected devices.

Contribution

It provides the first detailed forensic examination of Bosch Nyon eBike computers, identifying vulnerabilities and data extraction techniques for both older and newer models.

Findings

First-generation Nyon had a design flaw allowing remote data access.

User data, including GPS and activity logs, can be extracted from both models.

Even encrypted data on newer models can be accessed with hardware techniques.

Abstract

Modern eBike on-board computers are basically small PCs that not only offer motor control, navigation, and performance monitoring, but also store lots of sensitive user data. The Bosch Nyon series of board computers are cutting-edge devices from one of the market leaders in the eBike business, which is why they are especially interesting for forensics. Therefore, we conducted an in-depth forensic analysis of the two available Nyon models released in 2014 and 2021. On a first-generation Nyon device, Telnet access could be established by abusing a design flaw in the update procedure, which allowed the acquisition of relevant data without risking damage to the hardware. Besides the user's personal information, the data analysis revealed databases containing user activities, including timestamps and GPS coordinates. Furthermore, it was possible to forge the data on the device and transfer it to Bosch's servers to be persisted across their online service and smartphone app. On a current second-generation Nyon device, no software-based access could be obtained. For this reason, more intrusive hardware-based options were considered, and the data could be extracted via chip-off eventually. Despite encryption, the user data could be accessed and evaluated. Besides location and user information, the newer model holds even more forensically relevant data, such as nearby Bluetooth devices.