University of California San Diego’s Earlence Fernandes, who has found ways to get self-driving cars to run stop signs and front doors of “smart homes” to unlock, can now add “bike” to his list of “things hacked.”
The impressive demonstration from Northeastern University and UC San Diego—the control of wireless gear-shifter signals to ultimately slow down a rider—seems unlikely to keep security-pro cyclists, including Fernandes himself, off the road, though.
“If I was a professional cyclist, this would be concerning. But if you’re a recreational amateur-type cyclist, and you go to your Saturday group, I would not be concerned at all,” Fernandes told IT Brew, citing instances of unfair play in pro cycling, like motorized doping and performance-enhancing drugs.
How it works. To perform the feat, an attacker needs a laptop and a software-defined radio, a single-board platform that enables the collection and transmission of wireless wave forms. The “SDR” records two signals: upshift and downshift, according to the team’s report.
In the case of cycling manufacturer Shimano, which did not respond to requests for an interview, its left and right shifters wirelessly transmit gear-shifting instructions to the rear derailleur.
“The attacker can just snatch that signal out of the air and then record it. And then at a later time, just play it out back into the air again using that software-defined radio,” Fernandes said.
The team has since worked with Shimano to develop mitigations for the cyberattack—a “rolling code” mechanism, according to Fernandes, which creates a secret, changing number that only the transmitter and receiver “knows.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Thoughts? Wireless shifting emerged around 2015. A July 2024 poll from media network VitalMTB showed that 16% of respondents loved electronic shifting and would “never ride a mechanical drivetrain again” (14%, conversely, said they’ll never go electronic).
Jerry Perullo, avid cyclist, former racer, and founder at Adversarial Risk Management and professor of the practice in the School of Cybersecurity and Privacy at Georgia Tech, uses wireless gear shifters and has “zero concern” about this cyber-cycling attack.
“It is an unsurprising finding, and the likelihood of being exploited maliciously against a recreational rider is akin to that of someone jamming a stick in your spokes,” Perullo wrote to IT Brew, adding that the cheat feat would be difficult to pull off without getting caught. (The compromise works at a range of up to 10 meters, according to the report.)
Unlike most of his cyclist friends, Jimmy Mesta, CTO and co-founder at RAD Security, does not use wireless shifters. “I treat biking as a very analog, disconnected activity where I get to be in nature,” Mesta told IT Brew.
Mesta is less concerned about a shifter hack and more uneasy about increasingly sophisticated bikes that connect electronics to a mobile app.
“You get this tracking mechanism that really is not ideal for my personal risk tolerance,” Mesta said.
Perhaps it’s no surprise that Fernandes, who says he rides 100 miles a week, uses wired electronic shifting—and not just because wireless systems always carry the possibility of being jammed.
“A physical wire carrying an electronic signal is much harder to get to,” he said.