{"id":52026,"date":"2024-08-23T11:24:03","date_gmt":"2024-08-23T15:24:03","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=52026"},"modified":"2024-08-23T11:24:03","modified_gmt":"2024-08-23T15:24:03","slug":"how-to-hack-bicycles-shimano-di2-wireless-shifting-technology","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/52026\/","title":{"rendered":"How to hack a bicycle"},"content":{"rendered":"

I\u2019ve worked in cybersecurity for years, and sometimes I think I\u2019ve seen it all: there\u2019s nothing hackers could possibly do that would surprise, much less shock me. Baby monitors? Hacked<\/a>. Cars? Hacked<\/a>, over and over<\/a> \u2014 and all kinds of makes. And not just cars, but car washes<\/a> too. Toy robots<\/a>, pet feeders<\/a>, TV remotes<\/a>\u2026 Fish tank anyone? No \u2013 really: it\u2019s been done<\/a>!<\/p>\n

But what about bicycles? They seemed to be hackproof \u2014 until recently. In mid-August 2024, researchers published a paper describing a successful cyberattack on a bike. More precisely \u2014 on one fitted with Shimano Di2 gear-shifting technology<\/a>.<\/p>\n

Electronic gears \u2014 Shimano Di2 and the like<\/h2>\n

First, a few words of clarification for those not up to speed, so to speak, with the latest trends in cycling technology. Let\u2019s start by saying that Japan\u2019s Shimano is the world\u2019s largest maker of key components for bicycles; basically \u2013 the main parts that are added to a frame to make up a working bicycle, such as drivetrains, braking systems, and so on. Although the company specializes in traditional mechanical equipment, for some time now (since 2001<\/a>) it has been experimenting with electronics.<\/p>\n

Classic gear-shifting systems on bikes rely on cables that physically connect the gear-derailleurs<\/a> (bike-chain guiders across sprockets) to the gear-shifters<\/a> on the handlebars. With electronic systems, however, there\u2019s no such physical connection: the shifter normally sends a command to the derailleur wirelessly, and this changes gear with the help of a small electric motor.<\/p>\n

Electronic gear-shifting systems can also be wired. In this case, instead of a cable, a wire connects the shifter and the derailleur through which commands are transmitted. Most in vogue of late, however, are wireless systems, in which the shifter sends commands to the derailleur with a radio signal.<\/p>\n

Shimano Di2 electronic gear-shifting systems currently dominate the high-end segment of the company\u2019s product line. The same is happening across the model lineups of its main competitors: America\u2019s SRAM (which introduced wireless gear shifters first) and Italy\u2019s Campagnolo.<\/p>\n

In other words, a great many road, gravel<\/a> and mountain bikes in the upper price band have been using electronic gear shifters for quite a while already, and increasingly these are wireless.<\/p>\n

\"Wireless<\/a>

The wireless version of the Shimano Di2 actually isn\u2019t all that wireless. Inside the bike frame there are quite a few wires: A and B represent wires that run from the battery to the front and rear derailleurs, respectively. Source<\/a><\/p><\/div>\n

The switch from mechanics to electronics makes sense on the face of it\u00a0\u2014 among other things, electronic systems offer greater speed, precision, and ease of use. That said, going wireless does look like innovation for the sake of innovation, as the practical benefits for the cyclist aren\u2019t all too obvious. At the same time, the smarter a system becomes, the more troubles could arise.<\/p>\n

And now it\u2019s time to get to the heart of this post: bike hacking\u2026<\/p>\n

Security study of the Shimano Di2 wireless gear-shifting system<\/h2>\n

A team of researchers from Northeastern University (Boston) and the University of California (San Diego) analyzed the security of the Shimano Di2<\/a> system. The specific groupsets they looked at were the Shimano 105 Di2 (for mid-range road bikes) and the Shimano DURA-ACE Di2 (the very top of the line for professional cyclists).<\/p>\n

In terms of communication capabilities, these two systems are identical and fully compatible. They both use Bluetooth Low Energy<\/a> to communicate with the Shimano smartphone app, and the ANT+<\/a> protocol to connect to the bike\u2019s computers. More importantly, however, the shifters and derailleurs communicate using Shimano\u2019s proprietary protocol on the fixed frequency of 2.478 GHz.<\/p>\n

This communication is, in fact, rather primitive: the shifter commands the derailleur to change gear up or down, and the derailleur confirms receipt of the command; if confirmation isn\u2019t received, the command is resent. All commands are encrypted, and the encryption key appears to be unique for each paired set of shifters and derailleurs. All looks hunky-dory save for one thing: the transmitted packets have neither a timestamp nor a one-time code. Accordingly, the commands are always the same for each shifter\/derailleur pair, which makes the system vulnerable to a replay attack<\/a>. This means that attackers don\u2019t even need to decrypt the transmitted messages \u2014 they can intercept the encrypted commands and use them to shift gears on a victim\u2019s bike.<\/p>\n

\"Testbed<\/a>

To intercept and replay commands, the researchers used an off-the-shelf software-defined radio. Source<\/a><\/p><\/div>\n

Using a software-defined radio<\/a> (SDR), the researchers were able to intercept and replay commands, and thus gain control over the gear shifting. What\u2019s more, the effective attack range \u2014 even without modifying the equipment or using amplifiers or directional antennas \u2014 was 10 meters, which is more than enough in the real world.<\/p>\n

Why Shimano Di2 attacks are dangerous<\/h2>\n

As the researchers note, professional cycling is a highly competitive sport with big money involved. Cheating \u2014 especially the use of banned substances \u2014 is no stranger<\/a> to the sport. And an equally underhand advantage could be gained by exploiting vulnerabilities in a competitor\u2019s equipment. Therefore, cyberattacks in the world of professional cycling could easily become a thing.<\/p>\n

The equipment used for such attacks can be miniaturized and hidden either on a cheating cyclist or a support vehicle, or even set up somewhere on the race track or route. Moreover, malicious commands can be sent remotely by a support group.<\/p>\n

A command to upshift gear during a climb or sprint, for instance, could seriously affect an opponent\u2019s performance. And an attack on the front derailleur, which changes gears more abruptly, could bring the bike to a halt. In a worst-case scenario, an unexpected and abrupt gear change could damage the chain or cause it to fly off, potentially injuring the cyclist.<\/p>\n

\"Shimano<\/a>

Vulnerabilities in the Shimano Di2 allow an attacker to remotely control a bike\u2019s gear shifting or carry out a DoS attack. Source<\/a><\/p><\/div>\n

Besides malicious gear-shifting, the researchers also explored the possibility of what they call \u201ctargeted jamming\u201d of communications between the shifters and derailleurs. The idea is to send continuous repeat commands to the victim\u2019s bike at a certain frequency. For example, if the upshift command is repeated over and over, the gear shifter will hit top gear and stay there, no longer responding to genuine commands from the shifter (based on the rider\u2019s selection). This is essentially a DoS attack on the gear-shifting system.<\/p>\n

The upshot<\/h2>\n

As the authors note, they chose Shimano as the subject of their study simply because the company has the largest market share. They didn\u2019t examine the wireless systems of Shimano\u2019s competitors, SRAM and Campagnolo, but admit that these too may well be vulnerable to such attacks.<\/p>\n

Shimano was informed of the vulnerability, and appears<\/a> to have taken it seriously \u2014 having already developed an update. At the time of this post\u2019s being published, however, only professional cycling teams had received it. Shimano has given assurances to make the update available to the general public later \u2014 bikes can be updated via the E-TUBE PROJECT Cyclist app.<\/p>\n

The good news for non-professional cyclists is that the risk of exploitation is negligible. But if your bike is fitted with the Shimano Di2 wireless version, be sure to install the update when it becomes available \u2014 just in case.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Researchers have discovered several potential attack vectors targeting bicycles fitted with Shimano Di2 wireless gear-shifting system.<\/p>\n","protected":false},"author":2726,"featured_media":52027,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1789,2683],"tags":[111,381,261,82,658,794,97,321,422,268],"class_list":{"0":"post-52026","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"category-threats","9":"tag-attacks","10":"tag-bluetooth","11":"tag-encryption","12":"tag-hacking","13":"tag-internet-of-things","14":"tag-iot","15":"tag-security-2","16":"tag-technology","17":"tag-threats","18":"tag-vulnerabilities"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/52026\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/27907\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/23202\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/28083\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/27622\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/30350\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/29168\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/38114\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/12682\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/22133\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/22910\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/31611\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/37046\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/28217\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/34016\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/33678\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/vulnerabilities\/","name":"vulnerabilities"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52026","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=52026"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52026\/revisions"}],"predecessor-version":[{"id":52033,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52026\/revisions\/52033"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/52027"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=52026"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=52026"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=52026"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}