Shimano's electronic transmission could be hacked remotely without leaving a trace

A recent study has revealed that Shimano's electronic transmissions can be hacked and blocked remotely without leaving a trace. Only a device costing less than 200€ is needed to do so. This discovery does not pose a risk to cyclists and Shimano has already announced a firmware update aimed at eliminating this vulnerability.

Transmissions remain completely secure

Researchers from Northeastern University and the University of California, San Diego, have identified vulnerabilities in the Di2 105 and DURA-ACE models from the manufacturer, which allow a person to manipulate gear changes on a bicycle from distances of up to 10 meters.

Modern electronic transmissions are designed with advanced encryption systems to ensure that there are no interferences or failures during operation. Since their introduction in the cycling world, there have been no incidents that question their reliability. However, researchers from universities in the U.S. have discovered a vulnerability that could be exploited by individuals with malicious intentions.

The study reveals that, using a low-cost device, it would be possible to intervene in the gear system of a bicycle equipped with electronic transmission, altering or blocking gears without the cyclist having control over it. This type of attack could be used to gain an advantage in competitions, which has been described as a new form of technological doping, although it could also affect cycling enthusiasts who use them on their bikes.

Using a low-cost software-defined radio (SDR), the academics were able to record and reproduce signals between the shift levers and derailleurs, demonstrating that it was possible to carry out blocking attacks without the need to extract cryptographic data. The simplicity of this technique, which can be carried out with a device costing less than 200 euros, highlights the ease with which a cybercriminal could alter a cyclist's performance. The attack consists of capturing the signal emitted when changing gears and reproducing it on the bike regardless of the current gear, requiring capturing an upshift and downshift signal.

The authors of the study, Maryam Motallebighomi, Earlence Fernandes, and Aanjhan Ranganathan, have warned about the risk of unauthorized and uncontrolled gear changes that could occur without the cyclist having control over the system. The attack involves capturing a signal during a gear change and reproducing it at a later time, which could cause unexpected and unwanted changes.

Despite the seriousness of the discovery, experts emphasize that, under normal conditions, the risk of suffering this type of attack is extremely low. In addition, the companies responsible for manufacturing these systems are already working on security patches to mitigate any possible vulnerabilities in the systems.

Shimano has already found a solution

In response to the vulnerability highlighted by the study, Shimano has announced a firmware update aimed at eliminating these vulnerabilities. The company, which has collaborated with researchers to develop this patch, has begun using this solution in its elite teams. Likewise, it has ensured that it will also be available to all cyclists by the end of August.

Experts have already assured that the security of electronic transmissions remains high and there is no reason to be alarmed. As they have identified, this type of attack is very specific and difficult to carry out without a deep knowledge of the technology, so cyclists should not worry about it.

Therefore, while brands seek the definitive solution to reinforce security, cyclists can continue to use their electronic systems with confidence, knowing that the chances of such an attack occurring are practically nonexistent in their daily cycling outings.

In addition to efforts to improve security, the study also highlighted the importance of collaboration between manufacturers and cybersecurity experts to proactively address possible vulnerabilities in emerging technologies. The researchers have suggested implementing real-time intrusion detection systems and using even more robust encryption algorithms as additional preventive measures. This would not only protect professional and elite cyclists, but also anyone using this transmission.