No, you won't be able to hack pro cyclists' electronic gears — Shimano shuts down cheating concerns over £175 jamming device, with immediate firmware update to "enhance security" already in use by pro cycling teams

Could one of the world's best professional cyclists lose a bike race because of nefarious hacking or jamming of their electronic shifting? That's the question thrust into the spotlight since US-based researchers revealed a radio attack technique that can target and hack into Shimano Di2, causing a cyclist's gears to change, or even be disabled, via a £175 device up to 10 metres away.

The academics from UC San Diego and Northeastern University told of a "different kind of doping" — potential wireless warfare, if you like — in their paper, 'MakeShift: Security Analysis of Shimano Di2 Wireless Gear Shifting in Bicycles', which we shared on our live blog yesterday following an interview with two of the researchers Earlence Fernandes and Aanjhan Ranganathan that appeared on Wired.

Well, before we all get too fearful of the prospect of a very 21st century form of cheating — roadside hackers able to change a rider's gear or, more easily, simply jam their shifters, or even impacting every single rider using electronic Shimano shifters in the peloton by broadcasting a certain signal frequency — we should probably point out that the researchers have been working alongside components giant Shimano on a fix since March, a "firmware update" that professional race teams now have and will be "available for all riders in late August". So, no jamming your group ride companions' shifters for that upcoming climb either...

> 10 things you didn't know your electronic groupset could do! How to get the most out of Shimano Di2 and SRAM AXS

Shimano told us they have been working with the researchers to "enhance the communication security for all riders using our Di2 wireless platforms", a collaboration which has led the manufacturer's engineers to have "identified and created a new firmware update" to deliver on that enhanced security aim.

"The firmware update has already been deployed across our professional race teams, including those taking part in the Tour de France Femmes avec Zwift, and the upcoming Vuelta," Shimano told us. 

"It is expected that the update will be available for all riders in late August. With this release, riders can perform a firmware update using Shimano's E-TUBE Cyclist smartphone app. More information about this process and steps riders can take to update their Di2 systems will be available shortly.

"While we cannot share details on the exact fix at this moment for obvious security reasons, we can share that this update is intended to improve wireless transmission across Shimano Di2 component platforms and will continue providing the highest level of shifting performance for which Shimano is renowned for."

And while all the discussion so far has surrounded Shimano, there have been suggestions that there is no reason why fellow WorldTour electronic groupset provider SRAM could not potentially be vulnerable to similar foul play. We contacted SRAM for comment and will update this piece with any response received.

But has this "different kind of doping" ever actually happened at a professional race? At the minute, nobody knows and while riders may now be racking their brains for memories of untimely shifting shockers, no teams or riders have publicly raised suspicions about having fallen victim to groupset hacking.

> New patent suggests Shimano 13-speed electronic groupsets are coming — here's what we know so far

The method the researchers outlined, the one that Shimano says has been addressed with a firmware update, would allow a wrongdoer to have used hardware costing only £175 and allow potential hackers to take over and control a bike's shifting behaviour by sending spoof radio signals from as far as 10m away.

They would also have had to intercept the target's gear-shift signals at some point previously, say before a stage, and have access to kit such as the software-defined radio, antenna and laptop the researchers used. However, the researchers pointed out this could be reduced in size to the point where their hardware set-up could be in a rival team car or in a rider's back pocket, not necessarily like the somewhat bulky roadside set-up seen in their video.

Shimano is confident it has addressed what the academics exposed as a vulnerability in Shimano's Di2 systems, with a blackbox analysis of the manufacturer's wireless protocols revealing a lack of mechanisms to prevent an attacker taking over someone's gears, and information leakage resulting from the use of ANT+ communication, that allows an attacker to inspect telemetry from a targeted bike.

> Complete guide to electronic gears: your bike's shifting, indexing and charging explained

Looking forward, another question might be whether others will be able to repeat the researchers' feat and leave the groupset manufacturers again scrambling for a fix. For now, the academics suggest it should be a warning about security vulnerabilities stemming from the implementation of wireless tech, something they told Wired has been a "repeating pattern" that has an "impact on real-world control systems" and "can cause real physical harm", such as with keyless car entries and thefts.