MakeShift: Security Analysis of Shimano Di2 Wireless Gear Shifting in Bicycles

The bicycle industry is increasingly adopting wireless gear-shifting technology for its advantages in performance and design. In this paper, we explore the security of these systems, focusing on Shimano's Di2 technology, a market leader in the space. Through a blackbox analysis of Shimano's proprietary wireless protocol, we uncovered the following critical vulnerabilities: (1) A lack of mechanisms to prevent replay attacks that allows an attacker to capture and retransmit gear shifting commands; (2) Susceptibility to targeted jamming, that allows an attacker to disable shifting on a specific target bike; and (3) Information leakage resulting from the use of ANT+ communication, that allows an attacker to inspect telemetry from a target bike. Exploiting these, we conduct successful record and replay attacks that lead to unintended gear shifting that can be completely controlled by an attacker without the need for any cryptographic keys. Our experimental results show that we can perform replay attacks from up to 10 meters using software-defined radios without any amplifiers. The recorded packets can be used at any future time as long as the bike components remain paired. We also demonstrate the feasibility of targeted jamming attacks that disable gear shifting for a specific bike, meaning they are finely tuned to not affect neighboring systems. Finally, we propose countermeasures and discuss their broader implications with the goal of improving wireless communication security in cycling equipment.