Bicycle tech vulnerability: Remote gear control raises safety concerns

Shimano DI2 is a group of electronically controlled bicycle equipment. Previously managed by levers and steel cables, mechanical connections have been replaced with electric wires and wireless communication. The equipment can now be configured remotely on a smartphone.

This provides very high precision and helps avoid problems related to the operation of mechanical cables. However, Boston's Northeastern University researchers have shown that this technology can also be dangerous.

Reports from cycling routes indicate that the drivetrain operation affects sports results and safety, and causing a crash can have dire consequences.

Shimano DI2 uses several wireless communication standards. According to Sekurak, these include Bluetooth Low Energy for configuring the equipment, ANT+ for telemetry, and Shimano's proprietary protocol operating at a frequency of 2,478 MHz for controlling the derailleurs. This last element has proven to be a weak link.

Through spectrum observation, performed using an SDR (software-defined radio), researchers identified all the transmission parameters and recreated and decoded the data transmitted in this wireless communication.

To control the operation of the derailleurs remotely, all you need is a computer and an SDR with broadcasting capability. During tests, repeatable results were obtained at a distance of up to 33 feet, which is usually enough to affect the operation of the derailleurs in a passing bicycle from the roadside.

According to the manufacturer's assurances, updating the derailleurs' software can secure the detected vulnerability. However, it is worth remembering that the race between equipment manufacturers has not ended, and the increasing number of devices communicating wirelessly provides hackers with more opportunities.