My bike got stolen, this is how I got it back

The Theft

Last Thursday I ran my fastest ever 5km race - at 22:11. It was hot, I was extremely pleased with myself, and my legs felt like jelly. As I hobbled back from the finish line I got a notification - my bike had been stolen.

My bike, a VanMoof S3, is an electric bike designed for use in bike-theft-friendly cities - so all cities. The general idea is that each piece of it is impossible to steal individually (thanks to custom screws and bolts), and the whole bike is difficult to steal, with an immobilised back wheel, an alarm, and a built-in GSM tracker. I had also hidden an Apple AirTag within the bike itself, which provides a much more granular level of tracking than the ancient 2G phone-tower triangulation method built into the bike itself.

The Chase

Once I discovered that the bike had been stolen I jumped into action, opening up the bike's app to see what tracking information I could get. The tracking info was pretty much useless - just a giant circle around the place where I had locked my bike up. This was not helpful.

A map showing an extremely rough location of my bike

Switching over to my AirTag things became a lot clearer. I could see that my bike had moved pretty far - to the other side of town and to an area that many locals might avoid, and I certainly wouldn't recommend tourists visit.

The bike ping-ponged back and forth from one side of town to another as I tracked its progress - I assume that at this point it was in a van - a common technique of thieves. Assuming that I'd never get the bike back, I reported it stolen to the Gardaí, Ireland's police force. They took my details, gathered information about what CCTV footage might be available, and were generally very understanding. They were pretty excited by the live-tracked view of where it was.

AirTags work by broadcasting an anonymous Bluetooth signal that every iOS device can pick up, and report to Apple. If the item is marked missing, Apple can then let the owner know where it was last found. This means that if you lose an AirTag in a densely populated city, you will generally get at least one up-to-date location ping per minute.

By this point, the location ping had returned to within a kilometre of where it had been stolen and was sitting right on top of a bridge over the River Liffey. There hadn't been a location ping in over 15 minutes, and I had pretty much given up, assuming that my beloved bike was swimming with the fishes.

The find

I was walking back to my office where I was going to meet my girlfriend to get a lift home (it was 10 pm at this point and I was pretty exhausted) when I got another notification - my bike had just been spotted by an iOS device!

Considering it was pretty unlikely that it was underwater (neither my bike nor AirTags are waterproof) I wandered over to the location of the pin.

Once I got there, less than 1km from where the bike had been stolen, I leaned up against the quay wall and just pretended to be on my phone while I looked around. Lots of office workers passing by, people spilling out of a pub, and two young adults sitting on the quay wall that I was leaning against. They kept looking at me, and I just stayed where I was. After 15 minutes of this standoff, during which my girlfriend joined me, they eventually left, walking past me to do so, staring at me the whole time. If you're a Dublin local you can probably picture exactly what this looked like.

My girlfriend and I jumped into action, walking over to where they had been hanging out. After another 10 minutes of wandering and waving my phone about, I noticed a red glow emanating from under a disgusting mattress nearby - I had found my bike! And it was apparently unharmed!

Me, presenting my bike out on the street, next to a dirty mattress

Does VanMoof have a security problem?

There were a few things that I immediately noticed.

  1. The bike's kick lock, the thing that immobilises its back wheel, was disengaged.
    1. I know that it was engaged when the bike was stolen because VanMoof only tells you your bike has been stolen when the kick lock is engaged.
    2. I was also able to see the thief having to lift the bike to move it on CCTV.
  2. The bike's alarm wasn't going off
  3. The bike appeared to have been reset

This is concerning. A huge part of VanMoof's pitch is that they will make it extremely difficult to successfully steal their bikes. When you use the kick lock to lock a VanMoof bike, the bike effectively becomes un-cyclable because the back wheel won't rotate, and any attempt to move the bike will cause a startlingly loud alarm to blare out. Even if you manage to disengage the kick lock, the electronics should stop the motor from working.

While I have no evidence that the motor was working (and the fact that the bike had been abandoned beneath a dirty mattress did seem like the thieves had given up, hoping to come back for another round the next day) I was concerned that the kicklock had been disengaged. As far as I could tell there was no obvious damage to the mechanism, and the kicklock still works. In addition, when I switched the bike on many of its settings had been reset, suggesting that the thieves knew how to perform a basic reset of the bike.

I don't really know what this means, other than it appears that the thieves were able to bypass at least some of VanMoof's security features. My bike is no longer being manufactured, and VanMoof the company appear to be under some financial strain, so I don't know if they will ever fix these issues. But I think they're worth mentioning anyway.

Recent posts