Lights

Comments

Shimano GRX Di2 RX825 levers

Here’s the real lesson from that wireless shifting hack

No one is going to make your drivetrain mis-shift; but bikes' increasing connectivity will likely make them targets sooner or later.

The scene: late afternoon at a nondescript hotel carpark in Kortrijk, Belgium, during Holy Week 2025.

Just days ago, Mathieu van der Poel won his fourth Tour of Flanders, dropping Wout van Aert on the Oude Kwaremont to solo to victory. As a light mist falls, an Alpecin-Deceuninck mechanic adjusts the Classics superstar’s bike in a workstand, shifting up and down through the gears to ensure the freshly cleaned and prepped machine is ready for tomorrow’s Paris-Roubaix. 

At the opposite end of the carpark, a man sits in the driver’s seat of a nondescript Skoda sedan. A laptop sits on the dash, connected to a small antenna pointing out the window. As the mechanic works, the man taps a few buttons, smiles, and then closes the laptop lid before driving away.

The next day, as the front of the race thunders down the Carrefour de l’Arbre, Van der Poel lays down a wicked attack near the end of the sector. Only Van Aert can follow. Then, inexplicably, Van der Poel’s chain drops from the big chainring to the small. He jabs at the left shifter and then also the right in increasingly frantic motions, but nothing happens. A gap opens. Van der Poel spins furiously but – trapped in a too-small gear – he can only watch in frustration as Van Aert exits the sector and disappears around the corner on the short paved bit between the Carrefour and Gruson cobbles, riding away to capture the cobble Monument that has always eluded him.

Back at the red-brick Restaurant l’Arbre at the exit of the Carrefour, the man from the carpark imperceptibly slips a small radio transmitter into his jacket pocket and walks away, lighting a cigarette. Mathieu van der Poel has just been hacked.

Do drivetrains dream of electric shifts?

Before we go any further, let’s underline that the above is – right now – science fiction. But a new research paper presented last week at USENIX, a top computer security symposium, showed that might not be the case for long. In the report, the authors – professors at University of California San Diego and Northeastern University – successfully attacked a Shimano Di2 shifting system to force it to mis-shift. 

The news spread quickly, with stories in mainstream outlets like The Verge, Wired (written by “Sandworm” author Andy Greenberg, no less), and several threads on Reddit – the largest of which has, as of publication, over 140 comments.

The technique requires some expertise to pull off and is logistically difficult. If you’re not a pro racer, you have little to worry about, and Shimano just pushed a firmware update to its pro team partners that it says will fix the problem (a consumer update is pending and Shimano says it will be available in late August). 

But the root vulnerabilities of wireless communication systems can never be fully patched. “We’ve done a lot of different types of security research in our career and the one thing we’ve learned is that there is no such thing as perfect security,” Earlance Fernandes, a co-author of the Shimano paper and assistant professor of computer science at UCSD, told Escape Collective in an interview. “There is always some kind of problem.”

Most notable, the core exploit technique is not necessarily specific to Shimano; it can in theory compromise any short-range proprietary wireless communication found on bikes such as drivetrains from other manufacturers, even electronic suspension like Rock Shox’s Flight Attendant, which like SRAM’s drivetrains runs on the AXS communication protocol. (Some other connected components, like power meters, transmit on ANT+, which is not a secure system, but power meters can’t be zeroed while in motion and would be all but useless to hack to, say, cause a faulty power readout.)

“The vulnerability reported does not impact our products,” said SRAM’s director of digital product, James Meyer, in an e-mail response to Escape‘s request for comment. “Countermeasures against these forms of attack have been inherent in the SRAM wireless products since the introduction of eTap in 2016 and continue with AXS.”

Aanjhan Ranganathan, another co-author on the Shimano paper and associate professor of computer science at Northeastern, conceded in our interview that “it’s hard to predict” if a similar attack would work on AXS, but that’s mostly because they haven’t tried yet. “We can’t really say until we actually look at [SRAM’s] protocol and see what we find.” That’s a likely next step for the team.

Make no mistake: the real risk is small. But it is not zero, and that’s to say nothing of the other vulnerabilities in head units and phone apps we use to interface with many of these technologies, which could themselves be targets for malicious actors.

Computer chips, RF radios: modern wireless electronic drivetrains are marvelous, but bring with them new vulnerabilities.

Shimano and SRAM told Escape that they design all their products with network security in mind and regularly review those protections – in SRAM’s case including with third-party audits. “Shimano is unaware of real-world attempts to implement this or any other wireless hacking on the Di2 system,” a company spokesperson said in response to a request for comment, adding that Shimano “is always analyzing potential threats from malicious actors throughout product and technology development.”

But the extent of that work is unclear. Security is not a core focus for bike companies, according to Keith Wakeham, a wireless communication expert who has held high-level engineering roles with 4iii, Campagnolo, and Body Rocket (he consulted informally with the study authors but was not otherwise involved). “There isn’t much overlap for security researchers and bikes, so I would bet this is still security by obscurity,” he told Escape via e-mail of the lack of successful exploits until now. 

In any case, a decade after SRAM first launched its wireless eTap drivetrains and spurred idle conversation about hacked shifting, it’s actually happened. While this exploit itself may be no big deal, it underlines that in a world where bikes are increasingly connected devices, cycling’s black-hat future may have finally arrived.

The left hand shift of darkness

Wireless shifting is a kind of modern marvel for cycling. Press a button and – with no physical connection between shifter and derailleur – the system can execute a flawless shift almost as fast as a wired system. It does this with a system of protocols that offer very fast communication with low latency, or lag time, and minimal power draw, which is why you forgot to charge your battery (again).

There are three main communication protocols found on wireless drivetrains like Di2 and AXS. Bluetooth is used for initial setup – pairing the shifters and derailleurs – and customizing features or downloading firmware updates from an app like Shimano’s E-TUBE Project or SRAM’s AXS app. Bluetooth is essential for those processes, and has widely known security vulnerabilities, but it’s not involved in the actual shifting.

Neither is the second protocol, ANT+. Based on the Garmin-owned ANT communication architecture, ANT+ is low power and sports hardware-specific. It’s what connects your drivetrain and power meter to your head unit and transmits power data and your gearing to your Wahoo and monitors your devices’ battery life to send you reminders to charge them.

Shifting itself is controlled by a third wireless protocol; these are often proprietary. SRAM’s is called Airea. Shimano’s doesn’t have a name (that we know of) but it’s similar. It operates on a very close communication band (2.478GHz) to ANT+, but as with Airea, its sole role is to transmit information between the shifters and derailleurs. 

Every time you press a shift button, several packets of computer code are transmitted between the shifter and derailleur over this frequency. Each packet contains vital information about the command (both sent and received) and is coded between a set of paired shifters and derailleurs so that the system only recognizes those packets – that’s how you can be in a pack of riders all on the same drivetrain brand and not get crosstalk. It does all this is mere milliseconds.

Again, marvelous, right? Wireless shifting has also made aspects like installation simple and easy to do. In fact, that’s the primary reason we have it, said Wakeham. He pointed out that riders aren’t the main customer for big component brands like SRAM and, especially, Shimano; bike brands like Specialized and Trek are. For the rider, “wireless isn’t innovation for the user except in aesthetics,” he said, because shifting is slower than full-wired systems and of course the system is less secure. But wireless shifting solves a bothersome problem for bike brands: assembly. As Wakeham put it, “it means complex internal wire routing can be avoided in factories.”

Because they connect to Bluetooth, even wired systems aren’t completely secure. But wireless shifting opens up an entirely new vulnerability.

Crypto-noticon

What the researchers did, in short, is analyze Shimano’s proprietary communication protocol and create a system that can capture and re-transmit those packets [PDF] to make it appear as if they’re coming from the shifters, effectively taking control of the system. Because the signals go out over the air, a simple piece of off-the-shelf hardware called a Software Defined Radio can be tuned to that 2.478GHz transmission frequency and capture them.

Those packets of information are encrypted but, in this particular exploit, that doesn’t matter, in part because of two quirks that make Shimano, at least, quite vulnerable. First, Shimano’s communication protocol doesn’t use timestamps.

That’s essential for the second part of the exploit, which involves sending fake packets – spoofing – back to the system, where they cause the drivetrain to shift outside the rider’s command or control; that’s the takeover. Without timestamps, hackers only need to send the signal itself. Without timestamps, “there’s no information in the signal that allows [the drivetrain] to give it a perception of time,” said Ranganathan. “All it sees is, ‘Here is a validly encrypted signal using the right set of keys.’”

The study successfully captured and spoofed drivetrain shift signals; researchers later repeated the attack outside in a live environment on a bike.

The second quirk for Shimano is that it uses a constant encryption: once the shift signal is copied, the system will continue to recognize spoofed signals sent with that same encryption code as legitimate until and unless the encryption code itself is changed – say, by unpairing and re-pairing the derailleurs and shifters.

By contrast, SRAM uses what are called rolling encryption codes that change periodically. (For security reasons, SRAM declined to say how often its codes change or whether Airea signals contain timestamps.)

All a hacker needs to do in this case is capture one upshift signal and one downshift signal, after which they can send any number of spoofed signals, either causing a Di2 drivetrain to shift outside the rider’s control or, alternately, stopping it from shifting entirely, a kind of narrow jamming effect (a broad-spectrum jamming is also possible but would affect all bikes within signal range). Because the encryption is constant, a capture could be done hours, days, even weeks in advance of the spoofing attack, as long as you knew that same set of shifters and derailleurs was still in use on the same pairing.

That all sounds elegant and simple, but it’s not quite as easy as that. Again, to execute, the hacker first needs to intercept the legitimate signal. In a crowded field of riders, it would be nearly impossible to zero in on a single bike – you’d need to be able to capture its signals in isolation, hence the fictional carpark scenario above.

Then, to transmit, the hacker needs to be relatively close to the rider – about 10 meters or less. And the hacker needs to trigger the system. That would be easiest if it was another rider in the pack, who could identify the crucial moment (that also, of course, requires the fitness to be there in that moment). While the setup the researchers use was fairly large and unwieldy as shown in the picture above, both the researchers and Wakeham pointed out that the devices could fairly easily be miniaturized using off-the-shelf parts like a Raspberry Pi single-board computer or even a reprogrammed Apple AirTag that would fit inconspicuously in a jersey pocket. 

A quick press of a button – say, a reconfigured remote shifter – would be all it takes to send a competitor’s bike haywire. Alternately, a person in a follow car behind a breakaway, or even placed roadside at a crucial spot like the Carrefour would be at least momentarily in range. The parts involved are increasingly affordable, and the hack itself would be undetectable. To the rider it would look like a momentarily malfunctioning drivetrain, and even a forensic analysis of the system’s own data logs might not reveal whether signals were sent from an outside radio.

All tomorrow’s group rides

Again, you can never make a wireless communication system completely secure. But you can make it such a pain to hack that it’s simply not worth it. Several of the potential fixes the researchers outlined would be for Shimano to adopt rolling encryption codes and add timestamps to packet information. (Shimano declined to specifically detail the fixes in its patch rolled out to pro teams recently.)

According to the researchers, while Shimano doesn’t have a formal “bug bounty” program, the company was immediately responsive when informed of the vulnerability. “We worked with them pretty closely and helped them with technical assistance on replicating the issues,” said Ranganathan. The two teams were in constant communication, with Shimano engineers in Japan sometimes meeting late at night for conference calls with the US-based researchers. 

Ranganathan said Shimano incorporated some of the researchers’ recommendations into the patch that was rolled out to pro teams. “It was a pretty good experience” to work with Shimano, he said, adding that’s often not the case when companies are informed of security vulnerabilities in their products.

But there is no free lunch. Adding security features like rolling encryption codes might reduce battery life, for instance, and since riders have gotten used to exceptional run time, any noticeable erosion in that feature would likely meet with grumbles.

What’s more, Wakeham adds, since the systems are built with parts from outside suppliers, a fix may not always be as simple as pushing a firmware update. “A lot of these mechanical hardware-first companies depend on contracts with lesser-known companies,” for component parts like the wireless radios, he said. “Baking the protocol into that unknown RF chip could mean it’s not changeable – unlikely, but possible.” Even if a particular fix is possible via a firmware update, if that task was itself outsourced to a contractor, then the brand is reliant on that source – or a new subcontractor – to code the fix.

In fact, the best defense against hacks of bikes might be that they’re just bikes. Cyclists and bike racing in particular are a complete backwater and a relatively un-lucrative one for thieves compared to tempting targets like car key fobs and garage door openers.

In fact, the primary reason the researchers focused on wireless drivetrains as a hacking project to begin with is that Fernandes is himself a cyclist and thought it would be interesting (they picked Shimano mostly because of the company’s market share). These exploits may have been hiding in plain sight for years.

But the industry may have relied on its relative obscurity for too long. As Wakeham said, it’s entirely possible that SRAM hasn’t been hacked this way yet simply because no one has tried. For experts within the industry, it’s bad form to try to get a competitive advantage by hacking competitors’ products. And for researchers “most efforts require a whole dedicated groupset, sometimes multiple, and a lot of time and equipment,” which may be beyond the modest means of many academic labs.

Those researchers – as well as malicious hackers – are typically more focused on higher-profile, ubiquitous targets: cars and connected-home products like wireless door locks and appliances. But bikes are expensive products, and as they increasingly become connected devices, security by obscurity may no longer be sufficient protection.

A hacker taking control of your bike to mis-shift your drivetrain or lock out your suspension on a critical section of trail is such a remote (sorry) possibility for most riders that it’s barely worth considering – although for high-stakes professional sport it’s no longer out of the question.

The researchers noted that multi-million dollar sponsorships can turn on results in the Tour de France and that’s a potential motivator for malicious actors within the sport. Wakeham, however, is skeptical that big teams would want to be involved with something quite that shady, and smaller actors might not find the expense or hassle worthwhile.

But with the direct influx of pro money into sports there’s been a concurrent boom in the amount of sports-adjacent spending in betting markets – sportsbooks were an $11 billion business last year in the United States alone, and it’s entirely possible to envision a motivated gambling network coming up with a creative way to use an exploit to win prop bets (“Mathieu van der Poel is dropped on the Carrefour de l’Arbre” at, say 50:1 odds).

The bigger and more unsettling issue is what the hack says about cycling’s future in an increasingly connected world. Again, one of the key vulnerabilities isn’t bikes’ proprietary shifting protocols at all, but the connected apps and head units we use to record our activities.

Those apps – like Wahoo’s ELEMNT, Garmin Connect, Strava and, increasingly, AXS – connect with Bluetooth (which has widely known existing and new vulnerabilities) and can all contain personally identifiable information down to gender and location data. If you granted permission, they can access your contacts, camera, and social media accounts, making them Trojan horses to allow hackers into other parts of our digital lives. And even if individual users are careful, companies are themselves tempting targets. Almost exactly four years ago, ransomware hackers compromised Garmin and took down its Connect app, encrypting user data and demanding $10 million in ransom.

The GPS giant restored user access within days. But Garmin notably never said whether it regained control over its systems through its own formidable cybersecurity capabilities. Some suspect the company just paid the ransom. And Shimano and SRAM’s resources pale in comparison to Garmin, a publicly traded company with a market capitalization of nearly US$34 billion and which provides GPS products and services to national security clients like the US Department of Defense.

To illustrate that resource gap, the researchers were in direct communication with Shimano about the exploit by early April and their plans to present their findings at August’s USENIX conference. Despite the company’s fast response, it’s taken four months from a friendly heads-up from white-hat hackers to get a patch ready to roll out to end users other than pro teams; what would be the timeline for Shimano – itself hit by a ransomware attack last year – to even discover a real zero-day exploit from malicious hackers? What could SRAM realistically do against an app-wide hack of AXS except pay a ransom?

We may not be the customer for those brands, but we very much are the user of their products. It’s one thing not to be able to upload your ride data to your cloud-based training app; it’s another not to be able to ride at all because a hacker’s ransomware attack pushed out a malicious firmware update and bricked your drivetrain.

Did we do a good job with this story?