Shimano Di2 Wireless System Bicycles Vulnerable to Remote Gear Shift Attacks
Published on August 26, 2024
- Bicycles using the popular Shimano Di2 wireless gear-shifting system could be exposed to replay attacks via a proprietary protocol flaw.
- The commands sent via this wireless system are encrypted but lack a few protection elements.
- Shimano issued a fix for this vulnerability, making it available to professional cyclists.
A critical vulnerability in the bicycles’ Shimano Di2 wireless system’s proprietary protocol makes it vulnerable to a potential replay attack, researchers from Northeastern University and the University of California San Diego announced in a PDF report.
These electronic systems transmit commands via wireless connections. Shimano Di2 uses encrypted commands, but the sent packets do not have a timestamp or one-time code, which makes encrypted commands vulnerable to interception, enabling a remote individual to shift gears on a victim’s bike without decrypting them.
The high-end market Shimano Di2 system communicates with the bike’s computers and the Shimano smartphone app via a combination of Bluetooth Low Energy and ANT+ protocols.
The system’s communication, which uses a fixed frequency of 2.478 GHz, works by simply sending a command from the shifter to the derailleur, which confirms receipt.
Commands can be intercepted and replayed effectively within 10 meters using an off-the-shelf software-defined radio, according to the security report, causing damage or impacting the bike’s performance.
The report also mentions the possibility of sending continuous repeat commands to a vulnerable bike to cause the malfunction of the gear-shifting system in a “targeted jamming” attack, which works as a denial-of-service (DoS) attack.
As professional cyclists could abuse this vulnerability to gain an unfair advantage in competitions, Shimano released an update to address the issue, but it’s only available to professional cycling teams for now.
In recent news, several dating apps, including Bumble and Hinge, allowed pinpointing other users' locations down to 2 meters. While they do not share exact locations on user profiles, malicious users could exploit this feature via a form of trilateration.