No, you won't be able to hack pro cyclists' electronic gears — Shimano shuts down cheating concerns over £175 jamming device, with immediate firmware update to "enhance security" already in use by pro cycling teams
Has it actually happened, and how seriously are the groupset giants taking it?
Could one of the world's best professional cyclists lose a bike race because of nefarious hacking or jamming of their electronic shifting? That's the question thrust into the spotlight since US-based researchers revealed a radio attack technique that can target and hack into Shimano Di2, causing a cyclist's gears to change, or even be disabled, via a £175 device up to 10 metres away.
The academics from UC San Diego and Northeastern University told of a "different kind of doping" — potential wireless warfare, if you like — in their paper, 'MakeShift: Security Analysis of Shimano Di2 Wireless Gear Shifting in Bicycles', which we shared on our live blog yesterday following an interview with two of the researchers Earlence Fernandes and Aanjhan Ranganathan that appeared on Wired.
Well, before we all get too fearful of the prospect of a very 21st century form of cheating — roadside hackers able to change a rider's gear or, more easily, simply jam their shifters, or even impacting every single rider using electronic Shimano shifters in the peloton by broadcasting a certain signal frequency — we should probably point out that the researchers have been working alongside components giant Shimano on a fix since March, a "firmware update" that professional race teams now have and will be "available for all riders in late August". So, no jamming your group ride companions' shifters for that upcoming climb either...
Shimano told us they have been working with the researchers to "enhance the communication security for all riders using our Di2 wireless platforms", a collaboration which has led the manufacturer's engineers to have "identified and created a new firmware update" to deliver on that enhanced security aim.
"The firmware update has already been deployed across our professional race teams, including those taking part in the Tour de France Femmes avec Zwift, and the upcoming Vuelta," Shimano told us.
"It is expected that the update will be available for all riders in late August. With this release, riders can perform a firmware update using Shimano's E-TUBE Cyclist smartphone app. More information about this process and steps riders can take to update their Di2 systems will be available shortly.
"While we cannot share details on the exact fix at this moment for obvious security reasons, we can share that this update is intended to improve wireless transmission across Shimano Di2 component platforms and will continue providing the highest level of shifting performance for which Shimano is renowned for."
And while all the discussion so far has surrounded Shimano, there have been suggestions that there is no reason why fellow WorldTour electronic groupset provider SRAM could not potentially be vulnerable to similar foul play. We contacted SRAM for comment and will update this piece with any response received.
But has this "different kind of doping" ever actually happened at a professional race? At the minute, nobody knows and while riders may now be racking their brains for memories of untimely shifting shockers, no teams or riders have publicly raised suspicions about having fallen victim to groupset hacking.
The method the researchers outlined, the one that Shimano says has been addressed with a firmware update, would allow a wrongdoer to have used hardware costing only £175 and allow potential hackers to take over and control a bike's shifting behaviour by sending spoof radio signals from as far as 10m away.
They would also have had to intercept the target's gear-shift signals at some point previously, say before a stage, and have access to kit such as the software-defined radio, antenna and laptop the researchers used. However, the researchers pointed out this could be reduced in size to the point where their hardware set-up could be in a rival team car or in a rider's back pocket, not necessarily like the somewhat bulky roadside set-up seen in their video.
Shimano is confident it has addressed what the academics exposed as a vulnerability in Shimano's Di2 systems, with a blackbox analysis of the manufacturer's wireless protocols revealing a lack of mechanisms to prevent an attacker taking over someone's gears, and information leakage resulting from the use of ANT+ communication, that allows an attacker to inspect telemetry from a targeted bike.
Looking forward, another question might be whether others will be able to repeat the researchers' feat and leave the groupset manufacturers again scrambling for a fix. For now, the academics suggest it should be a warning about security vulnerabilities stemming from the implementation of wireless tech, something they told Wired has been a "repeating pattern" that has an "impact on real-world control systems" and "can cause real physical harm", such as with keyless car entries and thefts.
Help us to fund our site
We’ve noticed you’re using an ad blocker. If you like road.cc, but you don’t like ads, please consider subscribing to the site to support us directly. As a subscriber you can read road.cc ad-free, from as little as £1.99.
If you don’t want to subscribe, please turn your ad blocker off. The revenue from adverts helps to fund our site.
If you’ve enjoyed this article, then please consider subscribing to road.cc from as little as £1.99. Our mission is to bring you all the news that’s relevant to you as a cyclist, independent reviews, impartial buying advice and more. Your subscription will help us to do more.
Dan is the road.cc news editor and has spent the past four years writing stories and features, as well as (hopefully) keeping you entertained on the live blog. Having previously written about nearly every other sport under the sun for the Express, and the weird and wonderful world of non-league football for the Non-League Paper, Dan joined road.cc in 2020. Come the weekend you'll find him labouring up a hill, probably with a mouth full of jelly babies, or making a bonk-induced trip to a south of England petrol station... in search of more jelly babies.
Pro cyclists losing races would be the very least of my concerns; the sort of people who throw tacks on sportive routes or string up wires across bike paths have the potential to do some serious damage with this exploit
the sort of people who throw tacks on sportive routes or string up wires across bike paths have the potential to do some serious damage with this exploit
Unfortunately we can't be confident that such evidence of stupidity and irresponsibility will prevent the use of a technology defect. Cyber criminal exploits against public health and hospitals showing that there are people competent and bad so willing to endanger life for profit. Event organisers now need to consider this risk and what mitigation is feasible: Come to the start line with evidence that you have Shimano version X firmware or better...
What's the serious damage? It doesn't affect pedalling or braking, so the rider's ability to stop isn't affected.
It's annoying to find oneself in an unexpected gear, but not hazardous in the way spikes in the road or neck-height wires are. I also doubt that the murderous idiots who do the latter are going to spend time and money on signal-jammers just on the off-chance someone with a wireless groupset passes within 10m of them. Once you've thrown tacks or strung up your wire, you can go home knowing that you'll injure *any* cyclist not just ones on expensive bikes.
The Shimano wireless system uses one of the ISM bands https://en.wikipedia.org/wiki/ISM_radio_band and even if the system's firmware is "secure", preventing a malicious intruder from operating the gearing system remotely, it is still the case that the system can be jammed.
Radio jamming is a very difficult attack to prevent, because even transmissions using the most secure protocols can still be overhwelmed by a sufficiently powerful interfering signal. ISM systems, and indeed most things in the 2.4GHz band that Shimano have used so far, operate at rather low transmitter power. On a bike, it is a necessary restriction in order to use a small and therefore lightweight battery. Because of this limitation, it does not take an particularly powerful jamming transmitter to simply obliterate the legitimate transmission from the controls (the gear selector button's supporting electronics) in favour of what the system would see as "nonsnse content". This could at the very least result in a non-response from the receiver (the derailleur) and therefore a missed shift, or a period of missed shifts, at the very least.
To have sufficient transmit power radiated in the right location for this to compromise a rider in a race would take quite a bit of forward planning, it is entire possible in principle.
It would be more difficult to do it and get away with it without being caught, because an enforcing authority could quite easily locate such a "renegade" transmitter if they want to take preventative action, something that might be a form of transmission policing in a major race, for example. But they'd have to be quick.
Of course, none of this applies to wired systems, only to wireless ones.
Despite having the option for 12-speed Di2 to have no wires to the front shift levers, there is the option of connecting them with wires. That's the option that I went with when installing my 12-speed group and I have no regrets. Battery life is better, the bike responds on the first click of the button on a ride (rather than having to wake it up with a few clicks at the beginning) and there are zero downsides after the wiring is finished. This article reveals another positive for this setup. The only reason new bikes don't come delivered this way is to save the bike brands the assembly and parts costs; consumers would generally be better off if everything was connected with wires, IMO.
"We contacted SRAM for comment and will update this piece with any response received." SRAM's eTap protocol is _not_ vulnerable to message replay attacks, as it has had a message counter since the first to-market product.
Message replay is just one very simplistic compromise, which as you've said SRAM is immune to, however, it's very naive to think that SRAM has no vulnerabilities whatsoever, your quote from the article is preceded by "potentially be vulnerable to similar foul play", i.e. not limited to message replay.
Message replay is just one very simplistic compromise, which as you've said SRAM is immune to, however, it's very naive to think that SRAM has no vulnerabilities whatsoever, your quote from the article is preceded by "potentially be vulnerable to similar foul play", i.e. not limited to message replay.
Much of the SRAM eTap protocol is quite compact. The gear-change messages particularly. There isn't really anything to get badly wrong in those core messages, other than replay protection. And SRAM has that.
SRAM got outside expertise in to help review their protocol, in at least 2015 (and perhaps again later - but I don't know). It appears Shimano never did.
Add new comment
10 comments
Pro cyclists losing races would be the very least of my concerns; the sort of people who throw tacks on sportive routes or string up wires across bike paths have the potential to do some serious damage with this exploit
Unfortunately we can't be confident that such evidence of stupidity and irresponsibility will prevent the use of a technology defect. Cyber criminal exploits against public health and hospitals showing that there are people competent and bad so willing to endanger life for profit. Event organisers now need to consider this risk and what mitigation is feasible: Come to the start line with evidence that you have Shimano version X firmware or better...
What's the serious damage? It doesn't affect pedalling or braking, so the rider's ability to stop isn't affected.
It's annoying to find oneself in an unexpected gear, but not hazardous in the way spikes in the road or neck-height wires are. I also doubt that the murderous idiots who do the latter are going to spend time and money on signal-jammers just on the off-chance someone with a wireless groupset passes within 10m of them. Once you've thrown tacks or strung up your wire, you can go home knowing that you'll injure *any* cyclist not just ones on expensive bikes.
The Shimano wireless system uses one of the ISM bands https://en.wikipedia.org/wiki/ISM_radio_band and even if the system's firmware is "secure", preventing a malicious intruder from operating the gearing system remotely, it is still the case that the system can be jammed.
Radio jamming is a very difficult attack to prevent, because even transmissions using the most secure protocols can still be overhwelmed by a sufficiently powerful interfering signal. ISM systems, and indeed most things in the 2.4GHz band that Shimano have used so far, operate at rather low transmitter power. On a bike, it is a necessary restriction in order to use a small and therefore lightweight battery. Because of this limitation, it does not take an particularly powerful jamming transmitter to simply obliterate the legitimate transmission from the controls (the gear selector button's supporting electronics) in favour of what the system would see as "nonsnse content". This could at the very least result in a non-response from the receiver (the derailleur) and therefore a missed shift, or a period of missed shifts, at the very least.
To have sufficient transmit power radiated in the right location for this to compromise a rider in a race would take quite a bit of forward planning, it is entire possible in principle.
It would be more difficult to do it and get away with it without being caught, because an enforcing authority could quite easily locate such a "renegade" transmitter if they want to take preventative action, something that might be a form of transmission policing in a major race, for example. But they'd have to be quick.
Of course, none of this applies to wired systems, only to wireless ones.
So DI2 6800 on wire is safe,
while DI2 8000 on wireless is vulnerable?
8000 is not available as wireless. 8100 (R8150) running wireless theoretically is vulnerable, although can be installed to run wired.
Despite having the option for 12-speed Di2 to have no wires to the front shift levers, there is the option of connecting them with wires. That's the option that I went with when installing my 12-speed group and I have no regrets. Battery life is better, the bike responds on the first click of the button on a ride (rather than having to wake it up with a few clicks at the beginning) and there are zero downsides after the wiring is finished. This article reveals another positive for this setup. The only reason new bikes don't come delivered this way is to save the bike brands the assembly and parts costs; consumers would generally be better off if everything was connected with wires, IMO.
"We contacted SRAM for comment and will update this piece with any response received."
SRAM's eTap protocol is _not_ vulnerable to message replay attacks, as it has had a message counter since the first to-market product.
Message replay is just one very simplistic compromise, which as you've said SRAM is immune to, however, it's very naive to think that SRAM has no vulnerabilities whatsoever, your quote from the article is preceded by "potentially be vulnerable to similar foul play", i.e. not limited to message replay.
Much of the SRAM eTap protocol is quite compact. The gear-change messages particularly. There isn't really anything to get badly wrong in those core messages, other than replay protection. And SRAM has that.
SRAM got outside expertise in to help review their protocol, in at least 2015 (and perhaps again later - but I don't know). It appears Shimano never did.