In the heart of the Tour de France, arguably the most prestigious and challenging cycling race in the world, the race leader is climbing L’Alpe D’Huez, confidently ahead of the pack. But suddenly, the gear shifts up unexpectedly, slowing the rider and making them increase power to keep up their speed. No matter how much they adjust, the gears keep slipping into inefficient settings, disrupting their rhythm. At times, the gear shifters become entirely unresponsive.
Is this a simple mechanical malfunction, or could it be a sign of something more insidious—perhaps the emergence of high-tech, illegal manipulations in competitive cycling?
We researched what it would take to attack a wireless shifting system, and found that we could control a shifter or deny access to it. In this article, we explain how we did this and what shifter manufacturers might do to prevent these attacks.
Modern bicycles are cyber-physical systems that contain embedded computers and wireless links to enable new types of telemetry and control. The key motivating factors for moving away from traditional mechanical systems are the ability to gain insights about a rider's physical performance, better responsiveness in gear shifting, customizability of how the gear shifters operate, and easier setup and maintenance.
Among the latest innovations in cycling technology, wireless gear shifting stands out for its significant impact on bike control and rider safety. The system uses wireless links between the gear shifters and the derailleur — an electro-mechanical component that uses motors to move the chain between gears. Electronic control provides increased precision in shifts and is less prone to issues like cable stretch and contamination that plague mechanical gear shifting systems.
While wired electronic gear-shifting systems exist, the trend in the cycling industry is rapidly moving toward fully wireless solutions. Major manufacturers like Shimano, SRAM, and Campagnolo now all offer wireless shifting options. But now that the system is going wireless, we have new problems to contend with – particularly security risks. Any vulnerability in such a critical system can have serious consequences for rider safety and performance, especially in professional races. In high-speed events, where hundreds of riders are packed tightly in a peloton, sudden changes in a bike's performance can be catastrophic. If an attacker were to hack into the wireless shifting system of a subset of riders and shift the gears or jam the shifting operation, it could result in crashes and injuries. And in critical moments, such as steep climbs or rapid descents, losing control of gear shifting could mean losing not just the race, but control of the bike itself.
It is important to note that the sport of professional cycling has long struggled with the use of illegal performance-enhancing drugs. Security vulnerabilities in one of the bike’s most critical components could offer an appealing alternative for those looking to compromise the integrity of the sport. Unlike the physical evidence left by doping, wireless attacks can be almost impossible to trace. With the advent of wireless gear shifting, it's crucial to adopt an adversary's perspective — professional bike races are highly competitive and adversarial, and any technology used must be robust enough to withstand attacks from motivated individuals.
A TL;DR of the results
To explore potential vulnerabilities, we focused on the Shimano 105 Di2 and Shimano DURA-ACE Di2 wireless shifting systems [9]. Shimano, a leader in the bicycle control system industry with roughly 50% market share, provided an ideal case study for our investigation. We purchased a recent version of the control system and conducted a black box security analysis, capturing raw physical signals, observing their behavior during gear shifts, and analyzing the packet structure and content.
What we uncovered in our security analysis was surprising, especially considering the similarities to prior attacks on systems like passive keyless entry for cars [1] and garage door openers [6]. We discovered a record-and-replay attack that allows an unauthorized party to fully control gear shifting on a victim's bike from up to 10 meters away — without the need for any amplifiers. These attacks can trigger unexpected gear shifts in random patterns by manipulating the physical layer, completely bypassing the need to extract cryptographic secrets, making the attack independent of encryption. This attack can be realized using commercial-off-the-shelf software-defined radios (SDR). The attacker only needs to record two signals — an upshift and a downshift. Additionally, we found that targeted jamming attacks could disable gear shifting on a specific bicycle without affecting others nearby.
The attacker only needs an SDR capable of transmitting and receiving signals in the 2.4 GHz band. All commercial off-the-shelf SDRs, such as the USRP B210, HackRF, PlutoSDR, and LimeSDR, are potential options for this purpose. In our proof-of-concept threat analysis, we used an USRP B210. An attacker may also opt for more advanced setup, e.g., using amplifiers to extend the attack range.
Responsible Disclosure and Disclaimer
We notified Shimano about the vulnerabilities, along with detailed information on replicating the attacks, part numbers of the devices we tested, and a description of countermeasures that might be helpful in this context. Shimano has acknowledged these vulnerabilities and has released fixes to both professional racing teams and to individual customers. We emphasize that these identified attacks are unlikely to impact amateur or commuter cyclists; the real concern arises in high-stakes, adversarial environments, such as professional racing.
A replay attack in the wireless world is when an attacker intercepts and records signals during a legitimate action, then later retransmits them to carry out the same action on the system without authorization. Notably, the attacker does not need to understand the packet's format or contents to succeed. Replay attacks can even bypass encrypted protocols making them a versatile and concerning threat.
Therefore, to carry out a replay attack, the attacker only needs to capture the signal responsible for shifting gears. The key element of the attack is simply capturing a signal that corresponds to an upshift or downshift, which can then be retransmitted to force gear changes on the victim's bike.
Capturing these signals is straightforward. The attacker doesn’t need physical access to the bike; being within range is enough. In professional races, where riders are tightly packed, a bystander along the race route or even a team vehicle traveling alongside the peloton could easily record the gear-shifting signals in real time as the victim rider changes gears. In a matter of seconds, the attacker could capture both an upshift and a downshift signal, regardless of the current gear the bike is in, and later use them to trigger unauthorized shifts. The capture could also take place well before race day, such as during a team event or a practice session days or weeks in advance. This opens up various opportunities for an attacker to interfere with a rider’s performance using minimal equipment and without drawing attention. We note that the attack works irrespective of which gear the bike is currently in; thus, it is sufficient for the attacker to capture any upshift and any downshift signal.
We conducted replay attack experiments by testing how far the attacker’s transmitter could be from the bike’s rear derailleur while still successfully shifting gears. In our tests, we shifted through all eleven gears, from the lowest to the highest, at various distances. The results showed that we could consistently trigger unintended gear shifts from up to 9 meters away without any failures. At 10 meters, we successfully shifted 10 out of 11 times. Beyond this range, the signal weakened and the attack became unreliable. Importantly, these tests were done without any signal amplifiers, meaning this range represents the lower bound for how far an attacker could be from the target.
A jammer works by transmitting radio frequency noise that disrupts wireless communication. How effective the jamming is depending on several factors, like the power of the device, the type of signal being jammed, environmental conditions, and the distance between the jammer and the receiver. There are ways to make jamming more targeted and efficient. For example, using directional antennas can focus the jamming signal on a specific area, reducing its impact on other surroundings. The success of jamming often comes down to how well it’s designed and how strategically it’s used, especially when directionality is a key factor.
We used the same SDR setup from our replay attack to transmit a jamming signal—specifically, a simple sinusoid—at 2.478 GHz, which is the frequency Shimano uses for its wireless communications. For our tests, we placed the shifter and derailleur one meter apart, which mirrors the typical setup on a bike, and then tested the jammer at different distances. When the jammer was within one meter of the derailleur, the gear-shifting system became completely non-functional, cutting off all communication. Beyond this range, the jammer still disrupted the signal, but didn’t fully disable the bike’s functionality.
However, this type of attack would affect every bike in the vicinity operating on the same frequency. We then shifted our focus to see if we could target a specific bike while leaving others nearby unaffected. This approach mirrors a real-world race scenario, where an attacker might want to disrupt only a specific rider’s bike while ensuring that friendly bikes remain fully functional. In our study, we labeled two Shimano wireless gear-shifting sets as Bike1 and Bike2. We captured an upshifting signal from Bike1 and replayed it at different intervals using our USRP B210, while manually shifting gears on Bike2 nearby. Our results showed that when the interval was less than 112 µs (the length of one packet), Bike2 also stopped working due to interference. However, once the interval exceeded 112 µs, Bike2’s functionality returned, as there was enough time for command packets to transmit and receive acknowledgments. In short, when the attacker sends replay packets with a 112 µs interval, Bike1 is disabled while Bike2, or any other nearby bike, continues to function normally.
Attacker device form-factor and cost
In the current implementation of our signal capture and replay system, we utilize a setup comprising an SDR and a laptop. While effective, this configuration is not optimized for size or portability. However, with advancements in miniaturization and integrated circuit (IC) technology, it is feasible to reduce the size of the attack device significantly. By custom designing specific circuits, we can integrate a receiver, a modest amount of memory for signal storage, and a transmitter into a compact, single System on a Chip (SoC) or small circuit board. This miniaturization process makes the attack system more discreet and enhances its portability and deployment ease. For example, researchers demonstrated relay attacks [1] on passive keyless entry systems with SDRs costing more than $1500 in 2011. A few years later [8], the same attack was demonstrated using $22.
Potential Countermeasures
To mitigate replay attacks, a basic measure is to add timestamps to wireless messages exchanged, as it restricts message validity to a specific timeframe, making older, replayed messages invalid. However, this approach comes with challenges, particularly the need for precise time synchronization between devices, which can be difficult when devices don’t have reliable access to shared time sources. Another common defense is rolling codes, where each transmitted signal includes a unique, one-time-use code. This makes it much harder for an attacker to reuse captured signals, as both devices move to the next code after each transmission. While rolling codes greatly raise the difficulty of executing replay attacks, they aren't entirely foolproof against more sophisticated methods like code grabbing or delayed playback [3, 5, 7].
An alternate unconventional measure would be to implement distance-based restrictions that could add an important layer of security. Since legitimate interactions occur only between shifters and derailleurs within a limited range, restricting command acceptance to close proximity could be highly effective in reducing the likelihood of remote replay attacks. This method works on the assumption that attackers are more likely to operate from a distance. However, securely measuring distance poses its own challenges [2]. Techniques like signal strength estimation or time-of-flight can be unreliable, especially in the fast-paced environment of competitive cycling. While this approach can help reduce the risk of replay attacks, it should not be seen as a standalone solution. Instead, it should be used in combination with other security measures, such as rolling codes or timestamps, to provide more comprehensive protection.
As technology continues to spread into the world of competitive sports, the need for robust security threat analysis becomes all the more critical. Our research shows just how easily wireless gear-shifting systems can be compromised, potentially turning the tide of a race with a well-timed attack. In an era where every bit of performance matters, it's not just about the athletes anymore — keeping tech secure is just as important to ensure fair competition and safety on the track. The future of sports could very well depend on staying one step ahead of these evolving threats.
Acknowledgements and Proof-of-concept Video
The work was partially supported by NSF grant 2144914. We thank Keith Wakeham and Virgyl Fernandes for their technical expertise in cycling components, Andreas Noack for his expert suggestions on URH. A proof-of-concept demo video can be found here <https://www.youtube.com/watch?v=7Pgd-EpLtDg>
