When wireless shifting first launched, some naysayers argued the systems could be vulnerable to sabotage. Couldn’t the systems, now made by all major manufacturers, be hacked? Couldn’t someone take over control, or at least disrupt the functioning of a rider’s derailleur mid-race? Well, it turns out that is entirely possible. A trio of researchers from Northeastern University and UC San Diego recently released a study showing how they were able to remotely intercept, and take over control of Shimano’s Di2 drivetrains.
The study showed Shimano’s Di2 system is vulnerable to several kind of remote attacks. While Shimano is taking the brunt of the publicity resulting from this study, the authors do note that all wireless systems, including SRAM and Campagnolo, could be vulnerable to similar attacks. This study focused on the Japanese brand as it had the largest market share of wireless road shifting systems.
The possible forms of attack range from targeting a specific bike via replay attack to jamming (effectively disabling) the shifting of an entire peloton at the same time. It’s even possible to selectively jam certain bikes while leaving other groups (or, uh, teams) unaffected. “You can basically jam everyone except you,” Northeastern professor Aanjhan Ranganathan explained to Wired.
It is a similar weakness as most wireless systems are exposed to. Remote garage door openers and wireless car keys are currently being exploited by thieves to easily steal cars and break into houses.
Shimano working with researchers
Before you start with paranoid glances over your shoulder on group rides or watching the crowd at your local crit for a sighting of Mathew Lillard or Angelina Jolie, take a deep breath. Shimano’s already worked extensively with the researchers involved to create a firmware update addressing this specific security concern. It’s currently only available to pro teams, but will be available to any Di2 user in late August.
The study does, though, show that attacks could be carried out using surprisingly affordable and portable devices. Researchers say their demonstration used around $1,500 of equipment and a laptop. But they added that it could be carried out with a combination of a $350 HackRF and a Raspberry Pi mini-computer small enough to hide roadside, or in a team car.
You can see the trio’s demonstration of an attack and explanation in the video below:
A new…
Click Here to Read the Full Original Article at Canadian Cycling Magazine…