Support road.cc

Like this site? Help us to make it better.

TECH NEWS

No, you won't be able to hack pro cyclists' electronic gears — Shimano shuts down cheating concerns over £175 jamming device, with immediate firmware update to "enhance security" already in use by pro cycling teams

Has it actually happened, and how seriously are the groupset giants taking it?

Could one of the world's best professional cyclists lose a bike race because of nefarious hacking or jamming of their electronic shifting? That's the question thrust into the spotlight since US-based researchers revealed a radio attack technique that can target and hack into Shimano Di2, causing a cyclist's gears to change, or even be disabled, via a £175 device up to 10 metres away.

The academics from UC San Diego and Northeastern University told of a "different kind of doping" — potential wireless warfare, if you like — in their paper, 'MakeShift: Security Analysis of Shimano Di2 Wireless Gear Shifting in Bicycles', which we shared on our live blog yesterday following an interview with two of the researchers Earlence Fernandes and Aanjhan Ranganathan that appeared on Wired.

Pro cyclists’ electronic gears can be hacked and jammed by attackers, researchers say (MakeShift)
Gear spoofer used by electronic shifter hackers (MakeShift)

Well, before we all get too fearful of the prospect of a very 21st century form of cheating — roadside hackers able to change a rider's gear or, more easily, simply jam their shifters, or even impacting every single rider using electronic Shimano shifters in the peloton by broadcasting a certain signal frequency — we should probably point out that the researchers have been working alongside components giant Shimano on a fix since March, a "firmware update" that professional race teams now have and will be "available for all riders in late August". So, no jamming your group ride companions' shifters for that upcoming climb either...

> 10 things you didn't know your electronic groupset could do! How to get the most out of Shimano Di2 and SRAM AXS

Shimano told us they have been working with the researchers to "enhance the communication security for all riders using our Di2 wireless platforms", a collaboration which has led the manufacturer's engineers to have "identified and created a new firmware update" to deliver on that enhanced security aim.

"The firmware update has already been deployed across our professional race teams, including those taking part in the Tour de France Femmes avec Zwift, and the upcoming Vuelta," Shimano told us. 

Shimano Dura-Ace R9200 Groupset 3

"It is expected that the update will be available for all riders in late August. With this release, riders can perform a firmware update using Shimano's E-TUBE Cyclist smartphone app. More information about this process and steps riders can take to update their Di2 systems will be available shortly.

"While we cannot share details on the exact fix at this moment for obvious security reasons, we can share that this update is intended to improve wireless transmission across Shimano Di2 component platforms and will continue providing the highest level of shifting performance for which Shimano is renowned for."

2024 Sram Red AXS vs Shimano Dura-Ace front mech

And while all the discussion so far has surrounded Shimano, there have been suggestions that there is no reason why fellow WorldTour electronic groupset provider SRAM could not potentially be vulnerable to similar foul play. We contacted SRAM for comment and will update this piece with any response received.

But has this "different kind of doping" ever actually happened at a professional race? At the minute, nobody knows and while riders may now be racking their brains for memories of untimely shifting shockers, no teams or riders have publicly raised suspicions about having fallen victim to groupset hacking.

> New patent suggests Shimano 13-speed electronic groupsets are coming — here's what we know so far

The method the researchers outlined, the one that Shimano says has been addressed with a firmware update, would allow a wrongdoer to have used hardware costing only £175 and allow potential hackers to take over and control a bike's shifting behaviour by sending spoof radio signals from as far as 10m away.

They would also have had to intercept the target's gear-shift signals at some point previously, say before a stage, and have access to kit such as the software-defined radio, antenna and laptop the researchers used. However, the researchers pointed out this could be reduced in size to the point where their hardware set-up could be in a rival team car or in a rider's back pocket, not necessarily like the somewhat bulky roadside set-up seen in their video.

Shimano is confident it has addressed what the academics exposed as a vulnerability in Shimano's Di2 systems, with a blackbox analysis of the manufacturer's wireless protocols revealing a lack of mechanisms to prevent an attacker taking over someone's gears, and information leakage resulting from the use of ANT+ communication, that allows an attacker to inspect telemetry from a targeted bike.

> Complete guide to electronic gears: your bike's shifting, indexing and charging explained

Looking forward, another question might be whether others will be able to repeat the researchers' feat and leave the groupset manufacturers again scrambling for a fix. For now, the academics suggest it should be a warning about security vulnerabilities stemming from the implementation of wireless tech, something they told Wired has been a "repeating pattern" that has an "impact on real-world control systems" and "can cause real physical harm", such as with keyless car entries and thefts.

Dan is the road.cc news editor and has spent the past four years writing stories and features, as well as (hopefully) keeping you entertained on the live blog. Having previously written about nearly every other sport under the sun for the Express, and the weird and wonderful world of non-league football for the Non-League Paper, Dan joined road.cc in 2020. Come the weekend you'll find him labouring up a hill, probably with a mouth full of jelly babies, or making a bonk-induced trip to a south of England petrol station... in search of more jelly babies.

Add new comment

10 comments

Avatar
Nick T | 1 month ago
0 likes

Pro cyclists losing races would be the very least of my concerns; the sort of people who throw tacks on sportive routes or string up wires across bike paths have the potential to do some serious damage with this exploit

Avatar
lonpfrb replied to Nick T | 1 month ago
0 likes
Nick T wrote:

the sort of people who throw tacks on sportive routes or string up wires across bike paths have the potential to do some serious damage with this exploit

Unfortunately we can't be confident that such evidence of stupidity and irresponsibility will prevent the use of a technology defect. Cyber criminal exploits against public health and hospitals showing that there are people competent and bad so willing to endanger life for profit. Event organisers now need to consider this risk and what mitigation is feasible: Come to the start line with evidence that you have Shimano version X firmware or better...

Avatar
Brauchsel replied to Nick T | 1 month ago
0 likes

What's the serious damage? It doesn't affect pedalling or braking, so the rider's ability to stop isn't affected. 

It's annoying to find oneself in an unexpected gear, but not hazardous in the way spikes in the road or neck-height wires are. I also doubt that the murderous idiots who do the latter are going to spend time and money on signal-jammers just on the off-chance someone with a wireless groupset passes within 10m of them. Once you've thrown tacks or strung up your wire, you can go home knowing that you'll injure *any* cyclist not just ones on expensive bikes. 

Avatar
severs1966 | 1 month ago
0 likes

The Shimano wireless system uses one of the ISM bands https://en.wikipedia.org/wiki/ISM_radio_band and even if the system's firmware is "secure", preventing a malicious intruder from operating the gearing system remotely, it is still the case that the system can be jammed.

Radio jamming is a very difficult attack to prevent, because even transmissions using the most secure protocols can still be overhwelmed by a sufficiently powerful interfering signal. ISM systems, and indeed most things in the 2.4GHz band that Shimano have used so far, operate at rather low transmitter power. On a bike, it is a necessary restriction in order to use a small and therefore lightweight battery. Because of this limitation, it does not take an particularly powerful jamming transmitter to simply obliterate the legitimate transmission from the controls (the gear selector button's supporting electronics) in favour of what the system would see as "nonsnse content". This could at the very least result in a non-response from the receiver (the derailleur) and therefore a missed shift, or a period of missed shifts, at the very least.

To have sufficient transmit power radiated in the right location for this to compromise a rider in a race would take quite a bit of forward planning, it is entire possible in principle.

It would be more difficult to do it and get away with it without being caught, because an enforcing authority could quite easily locate such a "renegade" transmitter if they want to take preventative action, something that might be a form of transmission policing in a major race, for example. But they'd have to be quick.

Of course, none of this applies to wired systems, only to wireless ones.

Avatar
lonpfrb replied to severs1966 | 1 month ago
0 likes
severs1966 wrote:

Of course, none of this applies to wired systems, only to wireless ones.

So DI2 6800 on wire is safe,
while DI2 8000 on wireless is vulnerable?

Avatar
mark1a replied to lonpfrb | 1 month ago
1 like

lonpfrb wrote:
severs1966 wrote:

Of course, none of this applies to wired systems, only to wireless ones.

So DI2 6800 on wire is safe, while DI2 8000 on wireless is vulnerable?

8000 is not available as wireless. 8100 (R8150) running wireless theoretically is vulnerable, although can be installed to run wired.

Avatar
Chris RideFar | 1 month ago
3 likes

Despite having the option for 12-speed Di2 to have no wires to the front shift levers, there is the option of connecting them with wires. That's the option that I went with when installing my 12-speed group and I have no regrets. Battery life is better, the bike responds on the first click of the button on a ride (rather than having to wake it up with a few clicks at the beginning) and there are zero downsides after the wiring is finished. This article reveals another positive for this setup. The only reason new bikes don't come delivered this way is to save the bike brands the assembly and parts costs; consumers would generally be better off if everything was connected with wires, IMO.

Avatar
Paul J | 1 month ago
0 likes

"We contacted SRAM for comment and will update this piece with any response received."

SRAM's eTap protocol is _not_ vulnerable to message replay attacks, as it has had a message counter since the first to-market product.

Avatar
mark1a replied to Paul J | 1 month ago
0 likes

Paul J wrote:

"We contacted SRAM for comment and will update this piece with any response received." SRAM's eTap protocol is _not_ vulnerable to message replay attacks, as it has had a message counter since the first to-market product.

Message replay is just one very simplistic compromise, which as you've said SRAM is immune to, however, it's very naive to think that SRAM has no vulnerabilities whatsoever, your quote from the article is preceded by "potentially be vulnerable to similar foul play", i.e. not limited to message replay. 

Avatar
Paul J replied to mark1a | 1 month ago
2 likes
mark1a wrote:

Message replay is just one very simplistic compromise, which as you've said SRAM is immune to, however, it's very naive to think that SRAM has no vulnerabilities whatsoever, your quote from the article is preceded by "potentially be vulnerable to similar foul play", i.e. not limited to message replay. 

Much of the SRAM eTap protocol is quite compact. The gear-change messages particularly. There isn't really anything to get badly wrong in those core messages, other than replay protection. And SRAM has that.

SRAM got outside expertise in to help review their protocol, in at least 2015 (and perhaps again later - but I don't know). It appears Shimano never did.

Latest Comments