Tour de France
(A.BourgeoisP/CC 4.0)

Hacking Wireless Bicycle Brakes Could be a Big Issue for Races like the Tour de France

While computer scientists worry about electric vehicles being hacked, many of these worries also extend to high-end bicycles used for prestigious races like the Tour de France. Several bike manufacturers have switched bicycle braking systems to a wireless platform, making them vulnerable to hacking or other cybersecurity issues.

“Security vulnerabilities in wireless gear-shifting systems can critically impact rider safety and performance, particularly in professional bike races,” researchers from the University of California San Diego and Northeastern University write in a recent paper. “In these races, attackers could exploit these weaknesses to gain an unfair advantage, potentially causing crashes or injuries by manipulating gear shifts or jamming the shifting operation.”

Hacking Electric Vehicles Versus Bicycles

While a bicycle’s braking system may be open to potential hacks, an electric vehicle has other weaknesses that could be digitally exploited. Experts believe that public charging stations, in particular, could be a vulnerability, as hackers could add malware or other digital problems to the vehicle as it is plugged into a more extensive system. Additionally, hackers could grab personal information from the vehicle while charging, such as owner information, the car’s distinct ID, and even possible payment information.

These attacks could even translate to private or at-home charging stations, depending on the savviness of the hacker.

In contrast, a bicycle’s brake system is completely wireless, meaning there’s no “plug-in” for hackers. Instead, the gears and brakes work by the rider providing commands wirelessly to the derailleur, the device that moves the chains between gears on the bike. According to a recent press release, “The wireless system used a communication protocol, ANT+, which leaks information, allowing attackers to monitor what their target is doing in real-time.”

Because high-end bicycles strive to be more aerodynamic, switching from a wired to a wireless gear and brake system allows this, forcing more of these bicycles to use this platform.

However, researchers from U.C. San Diego and Northeastern University found that potential hackers can control and retransmit gear and brake commands to the bicycle without needing authentication. The researchers hacked into one of these bicycles and could manipulate it from up to 10 meters away by using standard devices known as software-defined radios.

They also found that the recorded commands could be used practically any time, provided the bicycle worked. Additionally, they could jam and disable gear shifting entirely without affecting nearby wireless systems, making the hack especially dangerous for riders.

Moving Forward with Digitally Safer Bicycles

To mitigate these issues, the researchers partnered with Shimano, one of the leading bicycle component manufacturers in the largest wireless gear and brake systems market. The researchers plan to present their findings at the 18th USENIX WOOT Conference, which will be held on August 12 and 13 in Philadelphia.

With their collaboration, the team developed patches to stop jamming and replay attacks and prevent information leakage. Shimano is already working to implement these patches in their system to ensure safer bicycles and plans to continue updating these platforms as more solutions are created.

“The history of professional cycling’s struggles with illegal performance-enhancing drugs underscores the appeal of such undetectable attacks, which could similarly compromise the sport’s integrity. Given these risks, it is essential to adopt an adversary’s viewpoint and ensure that this technology can withstand motivated attackers in the highly competitive environment of professional cycling,” researchers added in their paper.

Safety at the Tour de France and Other Bicycle Races

With annual races like the Tour de France and even less frequent races like the Olympics attracting hundreds of thousands of cyclists, many are worried that these hacks could be an issue at these events.

As the Tour de France does allow wireless brake systems, these platforms have become the new norm for professional cyclists. While the researchers are working to develop safeguards for potential hacks, the lack of broader discussion about these issues makes it difficult to show their severity until it is too late.

Kenna Hughes-Castleberry is the Science Communicator at JILA (a world-leading physics research institute) and a science writer at The Debrief. Follow and connect with her on X or contact her via email at kenna@thedebrief.org