(Article) Hackers have figured out how to tap into your electronic shifters

To carry out that eavesdrop-and-replay attack, the researchers used a $1500 USRP software-defined radio, an antenna, and a laptop.

Just what I carry on a ride.

Discussed here: https://www.trainerroad.com/forum/t/wireless-shifting-vulnerable-to-jamming-interference/95375/22

Most of the strange rabbit holes already cleared. :rofl:

Did anyone think these things were secure? I guess if this actually becomes a problem the easiest solution would be to move back to wires. It’s just signalling (so pretty thin wire), it can’t be that big an engineering problem to route them through, even if it’s more expensive than wireless.

Encryption would work too but would increase power requirements, wouldn’t stop jamming attacks, and might be unlawful in some jurisdictions.

But I doubt it will be a problem in practice.

2 Likes

Are you talking Di2 or enterprise SaaS? :thinking::crazy_face:

2 Likes

Dear DI2 derailleur owner,
We have noticed some unexpected activity.
Please click the link below to verify your contact information to avoid your derailleur being locked out.

10 Likes

Shimano have issued updated firmware they claim to have resolved the identified issues.

A few observations/thoughts on this…

  • They screwed up the initial firmware roll-out this time last week.
  • Coverage of this paper hit Forbes, The Verge, WIRED, etc… the fix? Zero mention of it anywhere.
  • There has been no communication from Shimano to 12spd Di2 owners (those who’ve registered an account via E-Tube Mobile).
  • There’s no mention of this update on the Shimano technical forums (S-TEC). They’re more interested in promoting “Flash Sales” than this critical (to some) update.

I really expected more from Shimano on this one. Although I am not surprised.

7 Likes

Proof of concepts always are, it’s convenient. But no reason it couldn’t be shrunk to a matchbox size and cost pennies.

I saw your video. Are they running away from it because of a fear of lawsuits, or are they just that inept dealing with their electronic products. Like their power meters, but then there is their cranksets, yikes! Is it upper management? They have a lot of the market by default, but their competition hasn’t been that great in the past either. The big road brake fiasco being one where they stumbled. I guess we have to accept some of this, and hope we are ‘made right’ at the end.

Thanks for all your work for cycling.

Whatever…

I’m using the forum incorrectly. I was waxing philosophical and commenting on the world in general, but it doesn’t have much to do with cycling.

Joe Lindsey quoted one tech guy who had the best line - security through obscurity. :rofl:

2 Likes

99.999999999% of people can ignore this vulnerability. The only potential folks who could be hit with this are pros at the very top.

The only potential risk for average riders would be someone setting up a DOS (denial of shifting) attack in an area because they don’t like cyclists.

3 Likes

You can’t even buy a decent bike for that. How much did the rider spend to put a wireless groupset on his bike? And that’s not nearly as performance-enhancing as being able to shift your opponent’s bike.

1 Like

Just as the use of floppy discs is deemed secure in some U.S. missile silos, I’m going to hang onto my mechanical shifters a little while longer.

I don’t need the Russians or Iranians hacking me.

2 Likes

Funny

In the 70’s I worked for an electronics company that sold computer equipment to the Navy. It was for shipboard use. It did use 8” floppy’s.

1 Like