Remote control risk: Cycling tech compromised by wireless vulnerability
Electronically controlled bicycle equipment provides convenience and precision, but—as evidenced by materials published by Northeastern University—it does not ensure safety. Bicycle gear settings can be changed remotely, affecting sports results and safety.
Shimano DI2 is a group of electronically controlled bicycle equipment. Electrical wires and wireless connectivity have replaced mechanical connections in the form of shifters, which control the operation of gears using steel cables. The equipment configuration can be carried out remotely via a smartphone.
This offers very high precision and avoids problems associated with the operation of mechanical actuators. However, as researchers from Boston's Northeastern University demonstrated, it also introduces significant risks.
Reports from cycling routes show that the drivetrain operation affects sports results and safety, and causing a crash can have dire consequences.
Gear settings can be changed remotely
Shimano DI2 employs several wireless communication standards. According to the Sekurak service, these include Bluetooth Low Energy for equipment configuration, ANT+ for telemetry, and the proprietary Shimano protocol, operating at 2.478 GHz, for controlling the gears. However, this element has proven to be a weak link.
Through spectrum observation, carried out using SDR (software-defined radio), researchers—explained by the Sekurak service—"managed to identify all transmission parameters and also replicate and decode data transmitted during this wireless communication."
A computer and SDR with transmission capabilities are sufficient to control the operation of the gears remotely. During tests, repeatable results were obtained at a distance of up to 33 feet, which is usually enough to influence the operation of gears in a bicycle passing by the roadside.
According to the manufacturer's assurances, the detected vulnerability can be secured through a gear software update. However, it is worth noting that the race between equipment manufacturers (wireless systems are also produced by companies such as SRAM) is ongoing, and the growing number of wirelessly communicating devices offers hackers ever-greater opportunities.
