A team of computer scientists found that wireless gear-shifting systems in high-end bikes are vulnerable to cybersecurity attacks that could undermine popular races like the Tour de France.
Wireless gear-shift systems are meant to give riders better control of their bikes, according to the University of California San Diego, whose researchers collaborated with those from Northeastern University on the study. But the modernization also introduces a new set of problems in the form of hacking vulnerabilities. Those weak points could be exploited “to gain an unfair advantage, potentially causing crashes or injuries by manipulating gear shifts or jamming the shifting operation,” the researchers wrote.
The group specifically looked into bikes with Shimano Di2 wireless gear-shifting technology, which it called the “market leader.” According to UC San Diego, the system works “by deploying wireless links between the gear shifters controlled by the riders and the device that moves chains between gears on the bike, called a derailleur.” By recording and then retransmitting those commands, researchers found they were able to perform an attack from up to 10 meters away with “off the shelf devices.” They also found it’s possible to disable gear shifting for one particular bike with a targeted jamming attack, rather than impacting all surrounding ones.
The researchers are now working with Shimano to patch the vulnerabilities, UC San Diego says, and the company has already started using some of their suggested countermeasures. Shimano did not immediately respond to a request for comment.
“The history of professional cycling’s struggles with illegal performance-enhancing drugs underscores the appeal of such undetectable attacks, which could similarly compromise the sport’s integrity,” the researchers say. “Given these risks, it is essential to adopt an adversary’s viewpoint and ensure that this technology can withstand motivated attackers in the highly competitive environment of professional cycling.”