Hackers Could Take Control Of Your Bike’s Gears

Security researchers discover critical vulnerabilities in wireless bicycle gear-shifting technology, as reported today by Forbes.

A team of researchers from Northeastern University and UC San Diego reported that gears can be changed or jammed from as far as 32 feet away. By exploiting vulnerabilities in the gear-shifting system, attackers could interfere with cyclists’ ability to control their bikes.

Forbes reported that this could allow attackers to remotely control a cyclist’s gears, potentially causing accidents or giving them an unfair advantage in competitions.

The researchers focused on Shimano Di2 wireless gear-shifting technology, a popular choice among professional cyclists. They found that the system lacks sufficient security measures to prevent replay attacks and jamming. This means that attackers could capture and retransmit gear-shift commands or disable gear-shifting completely.

The researchers point out that the bicycle industry is increasingly adopting wireless gear-shifting technology due to its performance and design benefits.

The researchers found three main security problems with the bike-shifting system. Firstly, hackers can record gear-shifting commands and play them back later to trick the bike into shifting gears without the rider’s input.

Secondly, hackers can use special equipment to block the communication between the rider’s control and the bike, preventing the bike from shifting gears. Finally, they can intercept the wireless communication between the bike and the rider’s control to gather information about the bike’s speed, gear, and other data.

The researchers suggest several strategies to protect the system from hacking. For example, adding timestamps to signals can prevent old messages from being used, but this requires the devices to be perfectly synchronized, which isn’t always easy.

Another approach they suggest is using rolling codes, where each signal has a one-time-use code. This makes it harder for hackers to intercept and reuse commands. They state that this method is commonly used in car key fobs and could be beneficial here as well.

Additionally, they suggest limiting the range at which commands are accepted can prevent remote attacks by ensuring only nearby signals are allowed. However, Shimano’s system doesn’t seem to include the protections above, leaving it vulnerable to attacks.

Forbes reports that the researchers have disclosed their findings to Shimano. The company has not yet provided a public statement. However, it has confirmed that it is working to address the vulnerabilities.