A team of computer scientists has found that wireless gear-shifting systems on luxury bicycles are vulnerable to cybersecurity attacks that could disrupt popular races like the Tour de France.
The wireless gear shifting system is meant to give riders better control over their bikes, according to the University of California, San Diego, whose researchers collaborated with researchers at Northeastern University. But this modernization also brings new problems in the form of hacking vulnerabilities. These weaknesses “could be exploited to gain an unfair advantage, potentially manipulating or disrupting the gear shift, causing a crash or injury,” the researchers wrote.
In particular, the researchers looked at bikes equipped with Shimano Di2 wireless gear-shifting technology, which they called the “market leader.” The system works “by deploying a wireless link between the rider-operated gear shifters and devices called derailleurs that move the chain between the bike’s gears,” according to the University of California, San Diego. By recording and retransmitting these commands, the researchers found they could launch attacks from up to 10 meters away using “off-the-shelf equipment.” They also found that targeted jamming attacks could disable gear shifting on one specific bike, rather than affecting all nearby bikes.
The researchers are currently working with Shimano to fix the vulnerabilities, and the company has already begun implementing some of the countermeasures the researchers suggested, according to the University of California, San Diego. Shimano did not immediately respond to a request for comment.
“Professional cycling’s history of battling illegal performance-enhancing drugs illustrates how attractive such undetectable attacks are, which could potentially undermine the integrity of the sport,” the researchers say. “Given these risks, it is essential to take an adversary’s perspective and ensure that this technology can stand up to an attacker in the highly competitive environment of professional cycling.”
