How to hack a bicycle

Researchers have discovered several potential attack vectors targeting bicycles fitted with Shimano Di2 wireless gear-shifting system.

How to hack wireless bicycle gears

I’ve worked in cybersecurity for years, and sometimes I think I’ve seen it all: there’s nothing hackers could possibly do that would surprise, much less shock me. Baby monitors? Hacked. Cars? Hacked, over and over — and all kinds of makes. And not just cars, but car washes too. Toy robots, pet feeders, TV remotes… Fish tank anyone? No – really: it’s been done!

But what about bicycles? They seemed to be hackproof — until recently. In mid-August 2024, researchers published a paper describing a successful cyberattack on a bike. More precisely — on one fitted with Shimano Di2 gear-shifting technology.

Electronic gears — Shimano Di2 and the like

First, a few words of clarification for those not up to speed, so to speak, with the latest trends in cycling technology. Let’s start by saying that Japan’s Shimano is the world’s largest maker of key components for bicycles; basically – the main parts that are added to a frame to make up a working bicycle, such as drivetrains, braking systems, and so on. Although the company specializes in traditional mechanical equipment, for some time now (since 2001) it has been experimenting with electronics.

Classic gear-shifting systems on bikes rely on cables that physically connect the gear-derailleurs (bike-chain guiders across sprockets) to the gear-shifters on the handlebars. With electronic systems, however, there’s no such physical connection: the shifter normally sends a command to the derailleur wirelessly, and this changes gear with the help of a small electric motor.

Electronic gear-shifting systems can also be wired. In this case, instead of a cable, a wire connects the shifter and the derailleur through which commands are transmitted. Most in vogue of late, however, are wireless systems, in which the shifter sends commands to the derailleur with a radio signal.

Shimano Di2 electronic gear-shifting systems currently dominate the high-end segment of the company’s product line. The same is happening across the model lineups of its main competitors: America’s SRAM (which introduced wireless gear shifters first) and Italy’s Campagnolo.

In other words, a great many road, gravel and mountain bikes in the upper price band have been using electronic gear shifters for quite a while already, and increasingly these are wireless.

Wireless version of the Shimano Di2 electronic gear-shifting system

The wireless version of the Shimano Di2 actually isn’t all that wireless. Inside the bike frame there are quite a few wires: A and B represent wires that run from the battery to the front and rear derailleurs, respectively. Source

The switch from mechanics to electronics makes sense on the face of it — among other things, electronic systems offer greater speed, precision, and ease of use. That said, going wireless does look like innovation for the sake of innovation, as the practical benefits for the cyclist aren’t all too obvious. At the same time, the smarter a system becomes, the more troubles could arise.

And now it’s time to get to the heart of this post: bike hacking…

Security study of the Shimano Di2 wireless gear-shifting system

A team of researchers from Northeastern University (Boston) and the University of California (San Diego) analyzed the security of the Shimano Di2 system. The specific groupsets they looked at were the Shimano 105 Di2 (for mid-range road bikes) and the Shimano DURA-ACE Di2 (the very top of the line for professional cyclists).

In terms of communication capabilities, these two systems are identical and fully compatible. They both use Bluetooth Low Energy to communicate with the Shimano smartphone app, and the ANT+ protocol to connect to the bike’s computers. More importantly, however, the shifters and derailleurs communicate using Shimano’s proprietary protocol on the fixed frequency of 2.478 GHz.

This communication is, in fact, rather primitive: the shifter commands the derailleur to change gear up or down, and the derailleur confirms receipt of the command; if confirmation isn’t received, the command is resent. All commands are encrypted, and the encryption key appears to be unique for each paired set of shifters and derailleurs. All looks hunky-dory save for one thing: the transmitted packets have neither a timestamp nor a one-time code. Accordingly, the commands are always the same for each shifter/derailleur pair, which makes the system vulnerable to a replay attack. This means that attackers don’t even need to decrypt the transmitted messages — they can intercept the encrypted commands and use them to shift gears on a victim’s bike.

Testbed used by the researchers

To intercept and replay commands, the researchers used an off-the-shelf software-defined radio. Source

Using a software-defined radio (SDR), the researchers were able to intercept and replay commands, and thus gain control over the gear shifting. What’s more, the effective attack range — even without modifying the equipment or using amplifiers or directional antennas — was 10 meters, which is more than enough in the real world.

Why Shimano Di2 attacks are dangerous

As the researchers note, professional cycling is a highly competitive sport with big money involved. Cheating — especially the use of banned substances — is no stranger to the sport. And an equally underhand advantage could be gained by exploiting vulnerabilities in a competitor’s equipment. Therefore, cyberattacks in the world of professional cycling could easily become a thing.

The equipment used for such attacks can be miniaturized and hidden either on a cheating cyclist or a support vehicle, or even set up somewhere on the race track or route. Moreover, malicious commands can be sent remotely by a support group.

A command to upshift gear during a climb or sprint, for instance, could seriously affect an opponent’s performance. And an attack on the front derailleur, which changes gears more abruptly, could bring the bike to a halt. In a worst-case scenario, an unexpected and abrupt gear change could damage the chain or cause it to fly off, potentially injuring the cyclist.

Shimano Di2 wireless shifter

Vulnerabilities in the Shimano Di2 allow an attacker to remotely control a bike’s gear shifting or carry out a DoS attack. Source

Besides malicious gear-shifting, the researchers also explored the possibility of what they call “targeted jamming” of communications between the shifters and derailleurs. The idea is to send continuous repeat commands to the victim’s bike at a certain frequency. For example, if the upshift command is repeated over and over, the gear shifter will hit top gear and stay there, no longer responding to genuine commands from the shifter (based on the rider’s selection). This is essentially a DoS attack on the gear-shifting system.

The upshot

As the authors note, they chose Shimano as the subject of their study simply because the company has the largest market share. They didn’t examine the wireless systems of Shimano’s competitors, SRAM and Campagnolo, but admit that these too may well be vulnerable to such attacks.

Shimano was informed of the vulnerability, and appears to have taken it seriously — having already developed an update. At the time of this post’s being published, however, only professional cycling teams had received it. Shimano has given assurances to make the update available to the general public later — bikes can be updated via the E-TUBE PROJECT Cyclist app.

The good news for non-professional cyclists is that the risk of exploitation is negligible. But if your bike is fitted with the Shimano Di2 wireless version, be sure to install the update when it becomes available — just in case.

Tips