Shimano says it has provided that firmware update to the professional cycling teams that use its components. But the company says the fix won’t be more widely available until late August, and declined to elaborate on exactly how the update prevents the attacks identified by researchers. “We can share that this update is intended to improve wireless transmission between Shimano Di2 component platforms,” the company wrote. “We cannot share details on the exact fix at this time, for obvious security reasons.”
Exactly how the patch will roll out to customers is also unclear. The company writes that “riders will be able to perform a firmware update on the rear derailleur” using Shimano’s E-TUBE Cyclist smartphone app. However, the company doesn’t say whether the fix will also apply to the front derailleur. “More information on this process and the steps riders can take to update their Di2 systems will be available soon,” the company concludes.
Although Shimano’s patch plan leaves a week or two between the researchers’ public presentation of their bike-hacking technique at Usenix and the broad rollout of a fix to customers, UCSD professor Fernandes argues that it’s unlikely that average riders will be targeted by their technique, at least not immediately. “I find it hard to believe that someone would launch such an attack on me during my group ride on Saturday,” Fernandes says.
However, professional cyclists should be sure to implement the early patch that Shimano has already provided, the researchers say. They also note that other brands of wireless shifters could be vulnerable to similar hacking techniques: they only targeted Shimano because it has the largest market share.
In the cutthroat world of cycling, which has been rocked by doping scandals in recent decades, they argue that rivals hacking each other’s shifters is not a far-fetched scenario. “This is, in our opinion, a different kind of doping,” says Fernandes. “It leaves no trace and it allows you to cheat in the sport.”
More broadly, they argue that their research into radio-based bicycle hacking is a cautionary tale about the temptation to add wireless electronic features to any technology, from garage doors Unpleasant cars for bicycles, and the unintended consequences of that long-term trend, namely that they have all become vulnerable to forms of replay and jamming attacks of the kind Shimano is now trying to remedy.
“This is a repeating pattern,” says Northeastern’s Ranganathan, who has also developed solutions for replay attacks on automotive keyless entry systems. “When manufacturers start embedding wireless capabilities into their products, that impacts real control systems. And that can cause real physical damage.”
Corrected on 8/14/2024 at 10:00 a.m. ET to indicate that the correct software-defined radio was used in the researchers' experimental setup and to remove an incorrect reference to Bluetooth.