TechRemote control risk: Cycling tech compromised by wireless vulnerability

Remote control risk: Cycling tech compromised by wireless vulnerability

Electronically controlled bicycle equipment provides convenience and precision, but—as evidenced by materials published by Northeastern University—it does not ensure safety. Bicycle gear settings can be changed remotely, affecting sports results and safety.

Shimano GRX Di2 derailleur
Shimano GRX Di2 derailleur
Images source: © shimano | Tyler Roemer
Łukasz Michalik

29 September 2024 16:51

Shimano DI2 is a group of electronically controlled bicycle equipment. Electrical wires and wireless connectivity have replaced mechanical connections in the form of shifters, which control the operation of gears using steel cables. The equipment configuration can be carried out remotely via a smartphone.

This offers very high precision and avoids problems associated with the operation of mechanical actuators. However, as researchers from Boston's Northeastern University demonstrated, it also introduces significant risks.

Reports from cycling routes show that the drivetrain operation affects sports results and safety, and causing a crash can have dire consequences.

Gear settings can be changed remotely

Shimano DI2 employs several wireless communication standards. According to the Sekurak service, these include Bluetooth Low Energy for equipment configuration, ANT+ for telemetry, and the proprietary Shimano protocol, operating at 2.478 GHz, for controlling the gears. However, this element has proven to be a weak link.

Through spectrum observation, carried out using SDR (software-defined radio), researchers—explained by the Sekurak service—"managed to identify all transmission parameters and also replicate and decode data transmitted during this wireless communication."

A computer and SDR with transmission capabilities are sufficient to control the operation of the gears remotely. During tests, repeatable results were obtained at a distance of up to 33 feet, which is usually enough to influence the operation of gears in a bicycle passing by the roadside.

According to the manufacturer's assurances, the detected vulnerability can be secured through a gear software update. However, it is worth noting that the race between equipment manufacturers (wireless systems are also produced by companies such as SRAM) is ongoing, and the growing number of wirelessly communicating devices offers hackers ever-greater opportunities.

Related content
© Daily Wrap
·

Downloading, reproduction, storage, or any other use of content available on this website—regardless of its nature and form of expression (in particular, but not limited to verbal, verbal-musical, musical, audiovisual, audio, textual, graphic, and the data and information contained therein, databases and the data contained therein) and its form (e.g., literary, journalistic, scientific, cartographic, computer programs, visual arts, photographic)—requires prior and explicit consent from Wirtualna Polska Media Spółka Akcyjna, headquartered in Warsaw, the owner of this website, regardless of the method of exploration and the technique used (manual or automated, including the use of machine learning or artificial intelligence programs). The above restriction does not apply solely to facilitate their search by internet search engines and uses within contractual relations or permitted use as specified by applicable law.Detailed information regarding this notice can be found  here.