Home
Could hackers attack SRAM's electronic gears? And what does film star Hedy Lamarr have to do with it?

SRAM’s new wireless groupset has created a lot of discussion and debate. A common concern is whether it would be susceptible to electronic attack, either to stop it working completely or for instance, to operate a rival's gears at just the wrong moment, leaving a sprinter twiddling a tiny gear with 200m to go.

So we asked a man who knows. Mark Severs B.Eng is a Senior Systems Engineer for communications giant Arqiva whose day job involves making sure TV programmes get to your screen. He used to write under the name Andy Bentley for cycling and other publications in the early 90s, until he got a real job. He knows a bit about how widgets talk to each other, so we asked what he thought of the SRAM system based on what we know so far.

He told us:

First, the comms protocol has to be a legal one, i.e. approved by every country's radio regulator wherever they will use it. That means that it must be one already recognised by the ITU, he international talking shop for national comms regulatory bodies such at the USA's FCC and Britain's OFCOM. This means that even if it is a bit proprietary it can't be all-new.

Second, Bluetooth and wifi and stuff like that are probably out because they are suited to more to communications and less to control. Wireless control systems are different to wireless comms systems. Also, Bluetooth is very slow and pretty easy to selectively disrupt.

There are a lot of options, but the likely answer is one of the comms protocols used for industrial and domestic control systems that already exist.

As far as disruption goes, there are two ways to disrupt comms; selectively and blanket. If you spew out enough shash in the relevant section of the radio spectrum, everything will fail, affecting all teams equally. That's blanket. Are any other teams using a similar system? A system in the same band? A band near to the band used for their voice radio? If only one team is using a specific band for their "derailleur brains" it is a simple matter of radiating a blanket jamming signal across that band, like one side used to do to the other in the cold war. Jamming a specific frequency is more fiddly but also possible, if you need to get that specific. This form of jamming is illegal but hard to detect without proper tracking systems designed specifically to detect jammers, so you just switch the jammer in the team car on when the heroes get involved in the break, the climb or the sprint.

At this point we dug out the SRAM patent and in particular a paragraph relating to the wireless protocol, which says it's a “2.4 GHz transceiver utilising AES encryption and DSS spread spectrum technology supporting 16 channels and the IEEE 802.15.4 communication protocol." That might as well be Navajo to us, but it spoke volumes to Mark.

It's an ISM or Zigbee/Z-Wave style product then, co-opted for bikes. There are a whole slew of these, too many to list. They are all semi-proprietary, but all available as "off the shelf" chipsets. In this article, there is a table with ISM in the middle, and all the options are just listed as "various".

Specifics: The AES encryption means hard-to-hack, so forget spotty hackers homing in on one specific bike's comms. DSS means "Digital Spread Spectrum", which is expected, and is simply a mechanism for making the radio signal robust and hard to interfere with - you know, by things like microwave ovens, wifi (which lives in the same band), poorly suppressed ignition, etc. DSS is used in everything these days (digital TV, DAB radio, DECT and mobile phones), so it is nothing exotic.

The IEEE 802.15.4 bit is just an international standards listing for physical and MAC activity [Machine Access Control]. You know, like a computer has a MAC address? The patent isn't very "patenty" in that none of this is a new invention, it's all a couple of years old at least. Spread-spectrum was invented by the famous film star Hedy Lamarr in the 1940s, which is one of the most obscure and arcane pieces of trivia I ever learned. She was a maths PhD!

It looks like it is all a versatile comms standard, bidirectional or even meshed maybe, robust, reliable in areas of interference. This no doubt drives some sort of miniaturised by fairly ordinary mechanical actuator system, and there is nothing new in all of that since electronic engine brains in motorbikes shrank all the sensors and actuators for use on throttle butterflies etc etc.

All told it sounds very realistic and workable, based on existing proven technology and impossible to interfere with except for the "blanket" approach I mentioned earlier. Using wide-band spread-spectrum may even make this impractical, which is entirely possible.

There you go then. Thanks in part to a bright idea by a mid-twentieth century film star, SRAM's wireless shifting should resist the kind of electronic attacks people are worrying about. 

15 comments

Avatar
chorltonjon [36 posts] 3 years ago
0 likes

Does "16 channel" limit the number of devices able to operate in one location? If so, a peloton-full would be disastrous/comedy gold.

Avatar
Rupert [191 posts] 3 years ago
0 likes

Great photo of Hedy here are a few quotes from her

"Any girl can be glamorous. All you have to do is stand still and look stupid."

"If you use your imagination, you can look at any actress and see her nude. I hope to make you use your imagination."

"I must quit marrying men who feel inferior to me. Somewhere there must be a man who could be my husband and not feel inferior. I need a superior inferior man."

"The world isn't getting any easier. With all these new inventions I believe that people are hurried more and pushed more... The hurried way is not the right way; you need time for everything - time to work, time to play, time to rest."

"Perhaps my problem in marriage - and it is the problem of many women - was to want both intimacy and independence. It is a difficult line to walk, yet both needs are important to a marriage."

"Hope and curiosity about the future seemed better than guarantees. That's the way I was. The unknown was always so attractive to me... and still is."

With regards to these wireless gears they are just the natural progression to automatic gears in the future. I foresee a time where the gear changes to your bodies power output, lactate levels and pain threshold etc.  39 103

Avatar
matthewn5 [1024 posts] 3 years ago
0 likes

I'd consider it after a couple of recalls have sorted out the early bugs. BUT, still three (four? both shifters?) batteries to charge.

Avatar
lookmanohands [119 posts] 3 years ago
0 likes

Should be easy to attach more shifters as well

Avatar
mikroos [257 posts] 3 years ago
0 likes

Yes, multiple shifters is the obvious way of progress on this product. I'm also waiting for splitters for hydraulic hoses which would allow riders to use extra brake levers at their TT extensions or install hydraulic CX-style levers. SRAM have recently started shipping the new generation of Hydro-R brakes/levers so who knows... That would be pretty nice!

Avatar
Flying Scot [936 posts] 3 years ago
0 likes

....multiple shift buttons being a feature of the ancient mavic zap mektronic wireless electric Gruppo.

Avatar
severs1966 [399 posts] 3 years ago
0 likes
drmatthewhardy wrote:

I'd consider it after a couple of recalls have sorted out the early bugs. BUT, still three (four? both shifters?) batteries to charge.

lookmanohands wrote:

Should be easy to attach more shifters as well

Less shifters with more buttons is also possible. That reduces the number of batteries. Different gestures for different gear-change actions? Like a mouse trackpad? There are already shifters where a single push changes the rear and a double push changes the front.

Also, shifters might be on the rider instead of the bike, so that you can operate a shift regardless of where your hands are (the "tops", the "hooks", the tri-bars, etc).

I wonder if the UCI have thought of dreaming up any annoyingly restrictive rules yet? Will they pre-emptively ban thought-controlled shifting before the heart-rate monitor manufacturers develop a "brain link" head band that looks like their existing rubber bra straps? Or maybe a nice little implant to inject into your neck, like the chip off your pet dog? It's all here waiting for you… in The Twilight Zone… *dramatic music*

Avatar
Mooman16 [25 posts] 3 years ago
0 likes

Simply using AES does not necessarily mean it will be harder to hack. It's all down to cryptographic key management - i.e. how complex/long the key is (i.e. to prevent brute force attack), how well the key is protected/stored on the device and whether or not each groupset will have its own unique key. I would hope the keys are unique, because if you crack one gruppo, well ....

I see a lot of crappy implementations of cryptography on mobile apps and I can find AES keys to encrypted databases stored on the impactded device(s) within minutes. None of this is down to any deficiencies in AES itself as a technology, moreso because of security being an afterthought and corners being cut in the interests of costs and development time.

It would be an interesting test to see what is possible from passively scanning the wireless communications. But .... the attacker would always have to be in close physical proximity to the groupo to be able to do that.

However, I'm inclined to be optimistic and hope that SRAM have taken the necessary steps to adequately test the security of their new groupo. Let's see.

Getting off my hobby horse about cryptography, another interesting thing that nobody has talked about is whether or not the new technology can integrate with head units. For instance, as well as recording speed, cadence, heart rate, elevation, etc, etc, why not add gear usage to that as well? Could it even enable head units to display gear information too (for those that can't be bothered to look down at their chainset and cassette). Interesting times!

p.s. 'spotty hackers'? Makes me laugh when I see this stereotype.  1

Avatar
Paul J [932 posts] 3 years ago
0 likes

I don't have direct experience of 802.15.4, but I am fairly deep into networking (particularly, analysing how network protocols can work and fail).

Note that 802.15.4 specifies the radio (PHY) and media access control/arbitration (MAC) layers. I.e. it specifies everything below the application layer. It can be downloaded at:

http://standards.ieee.org/getieee802/download/802.15.4-2006.pdf
http://standards.ieee.org/getieee802/download/802.15.4-2011.pdf

The patent says they're using the "unlicensed" 2.4 to 2.5GHz band specified by the ITU. This is carved up into 16 relatively narrowband channels. This radio band is also used by a very wide number of other devices, including 802.11 wifi, DECT phones, garage door openers, etc.

The 16 channels does *not* mean it's limited to 16 devices using it. Each of the 16 channels can be used by multiple devices, which have to co-ordinate when they transmit using the specified "MAC" protocol. 802.15.4 is defined to use a CSMA-CA algorithm. This is fairly simple, however performance degrades fairly quickly as more devices use the same channel - similar to when your neighbours' wifi is on the same channel as yours, and/or as you have more and more devices using your wifi (and your 802.11 wifi can use more slightly more sophisticated MAC protocols).

The SRAM patent has a lot of talk about transmitting on a channel, listening for noise, waiting, etc. I suspect though they're just referring to the standard 802.15.4 protocols there - that SRAM didn't invent any new PHY/MAC stuff, but are just using standard implementations. If so, I think it's a bit sneaky of them to try claim this stuff in their patent, but IANAL.

They do seem to have added their own "turn the chip/radio on and off at intervals" protocol on top of that though to save power. These kinds of things can be tricky to get right though. Protocols can work in controlled settings, but then fall apart in certain other conditions that are only experienced in the real-world.

The SRAM patent seems to suggest that channel selection is done manually, by pressing a button on the dérailleur to make it go into a pairing mode where it scans all the channels, while the operator sets the channel on the shifter using some appropriate twiddling after which it transmits. The dérailleur then picks up the channel the shifter sends on.

Finally, the patent suggests the shifter sends fairly simple "Shift up" or "shift down" commands. The patent then has to discuss how the problem of duplicate or lost commands are dealt with. Commands can be lost because of either radio noise, or because of the aforementioned "turn the radio off for intervals" power-saving protocol. To compensate for this, the shifter also sends a count, e.g. "Shift up 3" to indicate this is the 3rd up shift in a row. I would presume the shifter resets this count when an opposite shift is made. The patent as written doesn't actually make sense to me, it says the receiver increments the count, but I think they mean the shifter does - I don't understand how it could work otherwise, unless the dérailleur acknowledged shift counts, but the patent doesn't say that this happens.

When the dérailleur receives a message where the count is higher than the previous message it received, then it knows it missed a message and can compensate by shifting more, to match the number of missed shifts. This means that lost commands from the shifters in noisy RF conditions must definitely be an issue though.  3

It seems like their protocol should generally work, however I can see some problems if sufficient messages are lost that the rider notices and compensates themselves by pressing the lever. E.g.:

1. Dérailleur last got "shift down, x-1"

1. Rider wants to shift down again, clicks

2. Shifter sends "Shift down, x", and does so at intervals for long enough that the dérailleur must have had an awake period, to have had a chance to receive - e.g. 100ms is suggested in the patent, but that might not what the released systems use.

3. The dérailleur doesn't get the message, because of high radio noise.

4. 1 or 2 seconds later the rider notices the missed shift, and moves the shifter again.

5. Repeat steps 2 to 4 another n times, where n is 0 or higher, depending on how long the radio noise lasts. Each time the shifter is sending an incremented x.

6. Finally the dérailleur receives the message, and suddenly shifts down x+n times.

That wouldn't be fun.

Another issue is that SRAM don't have separate shifters for front and rear dérailleurs. Instead, you have to tap both shifters together. To make this work, the patent says the shifters /actually/ send "Shift up/down pressed" and "shift up/down released" messages. The front and rear dérailleurs then have to work out from the /combination/ of messages whether it was intended for them.

I.e. receiving either:

1. "shift up pressed"

2. "shift up released"

or else:

1. "shift down pressed"

2. "shift down released"

Means it's for the rear dérailleur.

However, if the following is received (where the order of 1a and 1b to each other don't matter, nor 2a to 2b, so long as the 2s are received after the 1s):

1a. "shift up pressed"
1b. "shift down pressed"

2a. "shift up released"
2b. "shift down released"

Then it means it's meant for the front dérailleur, and the FD will change ring. (Clearly, this can't work at all with a triple). However, that means that if either:

c: message 1a is lost, and then message 2b is received

d: message 1b is lost, and then message 2a is received

at the rear dérailleur, then the rear dérailleur will change. It will change down in the case of c, and it will change up in the case of d. Note that it is possible for the rear dérailleur to miss the message, but the FD to receive - in which case *both* will change.

Further, this means this protocol can not intentionally shift both front and rear at the same time (I do this sometimes, e.g. big to little on the front, while shifting to a smaller cog on the back). Of course, both-shifting generally isn't recommended. However, this protocol in the patent can *unintentionally* shift both.

It will be interesting to see how often the problem of "over shifts" (shifting too many because of lost shift) occurs on the rear, and how often the "unintentional both shift" occurs, due to RF noise.

NB: It is possible that SRAM further developed their shifting protocols since the patent applications, and so the might have already addressed these issues.

Avatar
mbell [43 posts] 3 years ago
0 likes

Longest post on road cc ever?

Avatar
pwake [422 posts] 3 years ago
0 likes

The answer to the question in your headline then is "No".

Avatar
SteppenHerring [337 posts] 3 years ago
0 likes

My favourite piece of trivia is this: the USS Phoenix was one of the few US ships that survived the Japanese attack on Pearl Harbour with minor damage. It went on until 1982 when it was sunk by the British during the Falklands war.

Avatar
noether [96 posts] 3 years ago
0 likes

don't worry, SRAM will use the feedback of early adopters to release a functional second generation. All at premium prices, of course.

Avatar
dave atkinson [6301 posts] 3 years ago
0 likes
Paul J wrote:

Further, this means this protocol can not intentionally shift both front and rear at the same time (I do this sometimes, e.g. big to little on the front, while shifting to a smaller cog on the back). Of course, both-shifting generally isn't recommended. However, this protocol in the patent can *unintentionally* shift both.

that's an interesting point: shifting at both ends is something i do as a matter of course when switching chainrings, especially on a compact

Avatar
Welsh boy [360 posts] 3 years ago
0 likes
mbell wrote:

Longest post on road cc ever?

Most boring, certainly.