Researchers have recently uncovered vulnerabilities in the popular Shimano Di2 electronic gear-shifting system, raising concerns about the security of these high-end bicycles.
While cybersecurity experts have long been warning about the potential risks of interconnected devices, from baby monitors to automobiles, this latest frontier of bicycle hacking may still come as a surprise.
Ins and Outs of Electronic Gear-Shifting
Shimano, the world’s largest manufacturer of bicycle components, has been experimenting with electronic gear-shifting systems since 2001. Unlike traditional mechanical systems, which rely on cables to connect the gear-derailleurs to the gear-shifters, electronic systems use wireless or wired connections to transmit commands.
The Shimano Di2 system, which dominates the high-end market, uses a combination of Bluetooth Low Energy and ANT+ protocols to communicate with the bike’s computers and the Shimano smartphone app. The system’s communication is surprisingly simple, with the shifter sending a command to the derailleur, which confirms receipt of the command.
However, researchers from Northeastern University and the University of California San Diego discovered a critical vulnerability in the system’s proprietary protocol, which uses a fixed frequency of 2.478 GHz. While the commands are encrypted, the researchers found that the transmitted packets lack a timestamp or one-time code, making the system vulnerable to a replay attack.
This means that an attacker can intercept the encrypted commands and use them to shift gears on a victim’s bike without decrypting them.
Risks and Implications for Shimano Di2 Bicycles
The researchers successfully demonstrated that they could intercept and replay commands using an off-the-shelf software-defined radio, with an effective attack range of 10 meters. This raises significant concerns for professional cyclists, who could use this vulnerability to gain an unfair advantage in competitions.
Malicious commands could be sent remotely by a support team, affecting an opponent’s performance or even causing damage to the bike.
The researchers also explored the possibility of ‘targeted jamming,’ where continuous repeat commands are sent to the victim’s bike, causing the gear-shifting system to malfunction. These attacks, which effectively work as a denial-of-service (DoS) attack, could leave the cyclist stranded or injured while continuous repeat commands could potentially render the bicycle unusable.
Shimano’s Response to Vulnerability
Shimano has been made aware of the security vulnerabilities in the Shimano Di2 system and has developed an update to address the issue. However, as of now, the update has only been made available to professional cycling teams.
While Shimano has promised to make the update available to the general public through the E-TUBE PROJECT Cyclist app, the general public could remain vulnerable until a wider release is made, although the risk of exploitation is assumed to be low for non-professional cyclists.
