Shimano Di2 Wireless System Bicycles Vulnerable to Remote Gear Shift Attacks

Published on August 26, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

A critical vulnerability in the bicycles’ Shimano Di2 wireless system’s proprietary protocol makes it vulnerable to a potential replay attack, researchers from Northeastern University and the University of California San Diego announced in a PDF report

These electronic systems transmit commands via wireless connections. Shimano Di2 uses encrypted commands, but the sent packets do not have a timestamp or one-time code, which makes encrypted commands vulnerable to interception, enabling a remote individual to shift gears on a victim’s bike without decrypting them.

The high-end market Shimano Di2 system communicates with the bike’s computers and the Shimano smartphone app via a combination of Bluetooth Low Energy and ANT+ protocols. 

Source: Usenix

The system’s communication, which uses a fixed frequency of 2.478 GHz, works by simply sending a command from the shifter to the derailleur, which confirms receipt.

Commands can be intercepted and replayed effectively within 10 meters using an off-the-shelf software-defined radio, according to the security report, causing damage or impacting the bike’s performance.

Source: Usenix

The report also mentions the possibility of sending continuous repeat commands to a vulnerable bike to cause the malfunction of the gear-shifting system in a “targeted jamming” attack, which works as a denial-of-service (DoS) attack.

As professional cyclists could abuse this vulnerability to gain an unfair advantage in competitions, Shimano released an update to address the issue, but it’s only available to professional cycling teams for now.

In recent news, several dating apps, including Bumble and Hinge, allowed pinpointing other users' locations down to 2 meters. While they do not share exact locations on user profiles, malicious users could exploit this feature via a form of trilateration.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: