Critical Vulnerabilities Found in Top Cycling Gear System

Researchers recently uncovered a major cybersecurity flaw in pedal shifting cycling tech, leaving cyclists vunerable to attack.
Lance Armstrong, who won the Tour de France seven consecutive times but had the victories stripped because of doping, rides to Protivin, Iowa, during RAGBRAI on July 27, 2017.

Ragbrai Thurs Kk
Lance Armstrong, who won the Tour de France seven consecutive times but had the victories stripped because of doping, rides to Protivin, Iowa, during RAGBRAI on July 27, 2017. Ragbrai Thurs Kk / Kelsey Kremer/The Register via Imagn Content Services, LLC

In professional cycling, where races can be decided in mere seconds, the significance of every aspect of a cyclist's equipment cannot be overstated. A team of computer scientists has recently unearthed a critical vulnerability within the wireless gear-shifting systems used in top-tier bicycles—a weak spot that could potentially affect the outcome of high-profile events like the Tour de France.

A research team from the University of California San Diego and Northeastern University explored Shimano's Di2 wireless gear-shifting technology, which dominates the cycling industry. During black-box analysis, they found three serious vulnerabilities in Shimano's binary wireless protocol, which would allow an attacker to manipulate the gear-shifting remotely.

The first vulnerability identified was the lack of mechanisms to thwart replay attacks. If captured by an attacker and retransmitted, such an attack allows them to take full control of a cyclist's gears without any cryptographic keys. It showed that such an attack could be carried out with commodity software-defined radios with no signal amplification from up to 10 meters away.

The second problem is targeted jamming. An open system is subjected to gear shifting disabling on a specific bike, leaving other surrounding systems open. This scenario puts riders at great risk, especially in tightly packed pelotons common in professional races, which might cause sudden gear changes or a complete gear lockout with a potential crash or severely impacted rider performance.

The third issue concerns information leaking through the ANT+ communication protocol, which transmits data between the bicycle's components and cycling computers. This flaw may allow an attacker to monitor a cyclist's telemetry in real-time, which provides an unfair advantage to any competitor exploiting the vulnerability.

These vulnerabilities carry significant implications.

In professional cycling, a sport where the line between victory and defeat is often razor-thin, the potential for a remote attack on a competitor's bicycle is a direct threat to the sport's integrity. The possibility of unintended gear changes at high speeds leading to potentially disastrous falls further underscores the gravity of these vulnerabilities.

Shimano, the Japanese company behind the Di2 wireless gear-shifting technology, has acknowledged the vulnerabilities and is currently developing patches to address them. The researchers recently presented their findings at the 18th USENIX WOOT Offensive Technologies conference, exemplifying the necessity for cybersecurity measures within modern cycling devices.

As the sport of cycling continues to evolve technologically, the security of these systems will be instrumental in ensuring both rider safety and the sport's integrity.


Published