“Zwift Cheating” – DefCon 2019 Presentation

Wasn’t DefCon is about obscure 0day exploits? What happened? Has the Wall Of Sheep been replaced by the Zwift Esports Classics results?

Who knows…. but this week security researcher Brad Dixon presented “Cheating in eSports: How to Cheat at Virtual Cycling Using USB Hacks” at DefCon 27.

There was no specific mention of Zwift in the presentation title. The underlying topic has nothing to do with Zwift. The presentation was around exploiting the years-old and well-known issues with the ANT+ wireless protocol that’s now being used by Zwift and EVERY other virtual racing and training platform that exists. However from the third slide onwards and over to the article on Vice.com you’d be hard pressed to separate the two – Cheating and Zwift.

I’d seen the DefCon schedule last week and knew this presentation would be of interest to the Zwift Racers Facebook group. Apparently not. However once the Vice.com article was posted with a Zwift screenshot with the title keywords of “HACKER | CHEAT | ZWIFT” did it gain traction in the popular Zwift Riders group. Mostly with eye rolling meme GIF replies… as deserved. 😉

I’m not putting the spotlight on the technical aspects of this presentation. It was really interesting, although was effectively what Keith Wakeham had already covered months ago over on YouTube. What I found interesting was the focus on only one platform, Zwift.

So over my morning coffee I put together a quick few words. My take:

This isn’t new. We’ve known (and discussed) this problem for YEARS. There’s nothing more to see here than what has already been done over on YouTube. Search up Keith Wakeham. He’s all over this. Controller and all. 

Is this Zwift related? No. This is an issue with the ANT+ protocol. Why did they use Zwift? Why does this article call Zwift out 22 times? Why not RGT? Or VirtuGO? Or Rouvy? Or BKool Simulator? OneLap? They’re all other virtual Eracing platforms. This cheating article is plastered only with Zwift to get attention. CLICKBAIT.

“I want to hook a motorcycle up to Zwift so I can go 8,000 miles an hour”. Fact check: Zwift is limited to 2000W with any power source… so 8,000mph isn’t possible. Again, cool story though.

Their discussion around Zwift taking cheating seriously. That’s true. We saw some pretty harsh DQ in a recent Zwift Classics events last month. Previously verified/vetted/celebrated/promoted Zwift National Champion DSQ by ZADA for “Performance can’t be verified with outdoor or test data”. *eyebrows were raised*

Back on topic – Presentations like this are good. It puts more focus on the need to develop secure and robust communications for our devices as this sport moves into a whole new arena. One that the current technology was never designed for.

That’s really about it. Am I being harsh in calling out their use of Zwift for views/hits/attention? I don’t think so. I’ve used this exact play for the last four years to build a successful YouTube channel and establish my own corner(s) of the Internet.

It would have been nice to see a few other platforms thrown under the bus too. That might have kickstarted more discussions around the inevitable solution we’ll see sometime in the future.


Shane Miller

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: