Computer scientists at the University of California San Diego and Northeastern University have concluded that wireless groupsets aren't as secure as previously thought, after successfully hacking Shimano Di2.
Using signal jammers and devices known as software-defined radios, the researchers were able to both perform unintended shifts remotely, as well as stop a groupset from working entirely.
The trio, which comprises Maryam Motallebighomi, Earlence Fernandes, and Aanjhan Ranganathan, say their findings could be used maliciously at races as big as the Tour de France to gain an unfair advantage.
“Security vulnerabilities in wireless gear-shifting systems can critically impact rider safety and performance, particularly in professional bike races,” the paper states. “In these races, attackers could exploit these weaknesses to gain an unfair advantage, potentially causing crashes or injuries by manipulating gear shifts or jamming the shifting operation.”
In the study, researchers chose to analyse Japanese brand Shimano, described as the market leader, and focussed on its 105 Di2 and Dura-Ace Di2 groupsets.
Through a 'blackbox analysis' of Shimano's wireless protocol, they found three major vulnerabilities.
The first was a lack of mechanisms to prevent replay attacks, which allows an attacker to capture and retransmit gear-shifting commands, similar to the technology used to hack keyless entry vehicles or wireless garage door openers.
The second was a susceptibility to targeted jamming, enabling an attacker to broadcast 'noise' at the same frequency as the Shimano protocol, in turn disabling shifting on a specific bike without affecting others nearby.
The third finding was that the use of ANT+ communication can result in information leakage, allowing attackers to inspect telemetry from a targeted bike.
While the current setup used by the researchers – a software-defined radio (SDR) and a laptop – is not optimised for size or portability, they warned that technological advancements could make these attacks more feasible in real-world scenarios.
"With advancements in miniaturisation and integrated circuit (IC) technology, it is feasible to reduce the size of the attack device significantly," they explained. "By custom designing specific circuits, we can integrate a receiver, a modest amount of memory for signal storage, and a transmitter into a compact, single System on a Chip (SoC) or small circuit board. This miniaturization process makes the attack system more discreet and enhances its portability and deployment ease."
Seeing riders with hacking devices in their pockets to deploy upon their unsuspecting competitors is still highly unlikely, but the researchers draw parallels with cycling's history of doping and compare a rider's motivations to cheat.
"The sport of professional cycling has a long and troubled history with the use of illegal performance-enhancing drugs. Security vulnerabilities in one of the most critical components of the bike could be viewed as an attractive alternative method for people who want to compromise the integrity of the sport."
"Furthermore, our attacks do not leave any detectable trace, unlike the use of performance-enhancing drugs."
Going forward
The researchers say they're now working with Shimano to patch the vulnerabilities. The Japanese brand has corroborated this claim, with our contact at Shimano saying that the brand was working with the researchers "prior to their paper being presented at the conference."
"Shimano has been working with the researchers to enhance our Di2 wireless communication security for all riders," began the brand's official statement on the matter.
"Through this collaboration, Shimano engineers identified and created a new firmware update to enhance the security of the Di2 wireless communication systems."
Shimano also adds that the updates have been made available to pro teams and that a consumer-facing firmware patch will follow.
"The firmware update has already been provided to the women’s and men’s professional race teams and will be available for all general riders in late August. With this release, riders can perform a firmware update on the rear derailleur using our E-TUBE Cyclist smartphone app. More information about the update process and the steps riders can take to update their Di2 systems will be made available shortly."
Cyclingnews has also asked both Shimano and SRAM if they are aware of any real-world instances of groupset hacking for competitive gain, but as yet, neither has responded.
Local News
Comments / 0