This is yet another insecure Internet-of-things story, this one about wireless gear shifters for bicycles. These gear shifters are used in big-money professional bicycle races like the Tour de France, which provides an incentive to actually implement this attack.
Research paper. Another news story.
Slashdot thread.
Eriadilos • August 20, 2024 11:29 AM
It at least seems like Shimano thought a little about the security of their solution, although it is obviously not perfect.
The replay attacks presented are preventable and seem to be mitigated through a firmware update.
However, I don’t see how the DoS can be prevented, it is inherent to wireless technologies. In the case of Tour de France an other professional riders I see 2 solutions :
– The tech savy teams will switch back to mechanical, which is improbable
– Once an attack is carried out and has serious consequences on performance or rider health, they will switch back to mechanical
I get that wireless is attractive to manufacturers as it avoids them cable routing, but what is wrong with simple cables ? As a user having to recharge your (leg operated) bike seems unnecessary
Aaron • August 20, 2024 11:53 AM
Wireless Bicycle Shifters
Another technological tale of “just because you can, doesn’t mean you should”
dorian • August 20, 2024 11:58 AM
The researchers wrote “Modern bicycles are cyber-physical systems”, but it’s not really true. Bruce has it right: this affects “big money” bicycles. The Dura-Ace Di2 costs around $4,000 (USD), whereas the “affordable” 105 Di2 is about half that.
A non-racer can get a pretty nice bicycle for under $1,000; possibly well under, with end-of-season and rental-bike sales during the next 60 days or so. It’ll include quite a lot of modern technology, but nothing “cyber”. (Indexed shifting was apparently invented in 1969, for example, but only become common during the 1990s. And there are reasons why bicycles themselves didn’t become popular till the 1890s.) The vast majority come with no electrical or electronic components whatsoever.
lurker • August 20, 2024 2:42 PM
Blutooth Bites Again …
I can understand the incentive on racing bikes to eliminate the weight and wind resistance of physical wiring, but the “designers” of these systems seem to have assumed that “wireless” is some magic sauce that simply replaces wires. The ability to complicate things by linking with wearable body function monitors must have been irresistable. And of course to keep costs down they don’t hire anybody who understands “wireless” communications and security.
Years ago I had a bike odometer, mechanical, mounted on the front fork, with a five toothed cog which was turned one tooth (1/5th of a turn) when struck by a pin screwed onto one of the wheel spokes. There were specific devices for the two popular wheel sizes. Nowadays with many wheel sizes used, a one-size-fits-all electronic gadget uses a magnet on the spoke which excites a Hall effect sensor, wired to a tiny computer on the handlebar which can be set for any wheel size, calculate speed, trip distance, total distance, &c. The wire between sensor and counter is now being replaced by blutooth connection, even for commuter shopping bikes. The basic reason seems to be “just because.”
finagle • August 20, 2024 3:55 PM
Not disputing their results, but when SRAM first mooted wireless shifters as a response to issues over them launching a competitor to the wired Di2 Shimano system there were immediate concerns over security and whether a bike could be hacked. Quite a lot of conversations ensued.
How the SRAM security was described to me at the time was wireless signals would use AES256 encryption, with the components needing to be paired in advance to setup a unique shared secret across the components. Once the parts were paired then signals would be unique to the components on the bike. Replay attacks were mentioned and I think a simple single use token was incorporated in each message, to ensure playback attacks were impossible. A wired connection to a laptop was needed to change the pairing. They weren’t Bluetooth at that time either, as Bluetooth was higher battery consumption, and range was severely limited, so interception required you to be really close to a moving bike.
Shimano implemented their wireless more recently, so I would have expected it to be more secure, but clearly not.
For those that don’t build or maintain bikes, or maybe even ride them who are scratching their heads as to why wireless shifting is even a thing, electronic shifting is smooth and less susceptible to wear. Wireless systems don’t need to run relatively thin fragile wires either over or through a frame, and can be bolted on the outside, reducing the complexity of frame design, build up and maintenance. They are less bothered by dirt as well so better for cyclo cross or mountain bikes. Definitely a place for them, but like all things, they need to be secure, and honestly, I thought they were after getting involved with talking through it publicly before the first system even launched.
Chris Becke • August 21, 2024 1:26 AM
I have enough trouble getting my bluetooth headphones to work reliably in the office. Bluetooth has 79 channels with channel hopping to resist interference. This, in a peloton, seems like a recipe for disaster.
This isn’t IoT.
These thing are 100% local only. Using radio links (BT and the like). No Internet is needed or used.
Eriadilos • August 21, 2024 3:39 AM
@fiangle
With wireless systems, interception from a good distance is always possible, it is just a matter of antenna strength and directedness.
Since the rear mech and shifter are ~1m away from each other, interception from quite far away, 10 to 25m, is likely with a normal SDR and antenna.
It doesn’t seem like Shimano is using Bluetooth either, but a proprietary protocol that operates in the same range. The range such devices can use is quite limited legally, and 2.4GHz is the most common.
I get that electronic shifting is more precise but I don’t get your comment on the wires : mechanical bikes have had internal routing for quite some time and it doesn’t seem to be a problem. Wires don’t have to be thin or fragile : high end bikes that weigh less than 6.8kg are common and balasts are put to go over the limit, putting more copper in the wires to add maybe 25g on the bike doesn’t seem to be a problem.
finagle • August 21, 2024 6:27 AM
It’s important to remember this is not an Internet of Things situation. The controllers here are dedicated controllers, not general purpose computers. They are dedicated systems and have no internet connection. They have specific and limited Bluetooth APIs, and are not going to be infecting your fridge with a virus.
That aside the level of logistics required to create a targeted exploit against a specific bike and the potential impact of that makes it relatively hard. Technically it might be easy, but getting recordings of a specific bike (note not rider, bike) is non trivial. Getting a recording of a pro on their number one race bike is not going to be simple. These people rarely ride their race bikes alone, and even then they may replace components regularly in or between races, and often ride second or third or training bikes. While the video makes it look relatively cheap and simple to create, I’d characterise it as hard in real world conditions. Then deploying it requires you to set the transmitter at a specific point in a race where it might make a worthwhile difference and there are few places where top level racing is that predictable. It would have been possible to deploy this to say stop Cav getting his 35th stage win, assuming you had a recording of the bike he was on, but stopping Pogacar attacking on a climb, or impeding him, well his attacks are not that easy to predict.
Realistically just dropping a bidon, or letting a dog loose, or getting your cousin to wave a hello mum banner in front of the race is cheaper and easier.
As for an extortion attack, we have your gear change messages, pay us to avoid us using them, well the gear manufacturers sponsor the teams at the top level and the equipment you’ve targeted will be replaced in a matter of minutes. While they call the police.
So on sober contemplation, this a weakness in a very specific set of equipment that is technically easy but logistically hard to exploit and even harder to exploit with any hope of benefit. At the top level, or even just trying to bring down your annoyingly fit and healthy local lycra lout.
lurker • August 22, 2024 1:16 AM
@finagle
“Then deploying it requires you to set the transmitter at a specific point in a race where it might make a worthwhile difference and there are few places where top level racing is that predictable.”
One place where it is highly predictable is on a rival’s bike. Nobbling your opponent is one of the oldest tricks on the book. This hack is not for lulz, it’s for the big money.
Adam Rice • August 22, 2024 10:32 AM
To clarify for the non-cyclists in the room:
There are three shifting technologies in widespread use over the past ~10 years: cable-actuated mechanical, wired electronic, and wireless electronic (there have also been pneumatic and hydraulic shifting systems, but these are rarities).
Electronic shifting (either wired or wireless) has some benefits. It lets you put shift buttons wherever you want. It can automatically shift the front derailleur as you work your way up and down the gears. It is easier for people with limited hand strength to operate.
The benefits of wireless shifting specifically mostly accrue to the real customers of component makers: bike companies. They assemble thousands of bikes, and routing those wires is a time-consuming PITA.
Looking at Shimano’s command and acknowledge messages, I was surprised at how verbose they are: 200 bits for the command, 128 bits for the ack.
Northern Realist • August 22, 2024 12:10 PM
There’s a simple solution…
The intent of using wireless s to reduce weight, improve aerodynamics, and reduce “response time”… so instead of needing an antennae, use a lightweight fibre optic cable that runs inside the frame…
Jon J • August 22, 2024 3:02 PM
A keen cycling techie friend of mine has a bike he built with wireless shifters. Once you add his phone, Garmin, lights etc he has TEN different things to check and charge before he sets out on a day’s ride.
dorian • August 23, 2024 3:43 PM
Looking at Shimano’s command and acknowledge messages, I was surprised at how verbose they are: 200 bits for the command, 128 bits for the ack.
Those who don’t understand CAN are doomed to re-invent it poorly, I guess. CAN could do this (including ACK) in 47 bits, plus however many bits the payload takes, plus bit-stuffing—under 64, anyway, allowing for 8000 messages per second on a 500 kbit/s bus. With 4 cables (2 data, 2 power, assuming the frame can’t be used for current return), probably 0.5 mm² or 0.75 mm² each.
Power it all from a dynamo hub, and it’d probably be reliable enough to eliminate the rear brake cable and housing, in which case it’d have little cost in weight. Add CAN sockets for powering and communicating with shifters, sensors, lights, and a computer—and of course USB-C for phone-charging (maybe control too)—and it might actually be pretty desirable. If the cost were to come down enough, I could stop worrying about batteries, and maybe it could even down-shift when I stop pedaling (I only almost always remember).
dorian • August 24, 2024 2:01 PM
Correction: I misread the table, and those “mm²” values are actually diameters in millimeters. So we’re talking something more like 0.2 mm² cross-sectional area; imagine an old 4-wire telephone cable, if you’re not too young, or half a Cat-5 cable. Nice and light. (A dynamo produces around 3-6 watts, usually at 6 volts, so a 1-ampere rating should be sufficient.)
piglet • September 18, 2024 9:23 AM
Can’t believe that anybody would find wireless shifters a good idea.
Subscribe to comments on this entry
All comments are now being held for moderation. For details, see this blog post.
Sidebar photo of Bruce Schneier by Joe MacInnis.
Clive Robinson • August 20, 2024 10:54 AM
@ Bruce, ALL,
Whilst a patch might solve one aspect of the problem it won’t stop others.
There is such a thing as “jamming margin” which is always going to be present in radio based systems.
Put simply if I increase my on frequency energy above that of the user at the receiver antenna their signal becomes lost as the demodulator in the receiver demodulates my signal not that of the user.
Even with complex modulation schemes such as Spread Spectrum the same thing applies just more power is required by my transmitter…
Believe it or not one of the reasons such radio systems are used is because it’s less expensive than using wire as well as being less weight etc.