Your Shimano gears can be hacked - but there's a fix coming

Shimano's Di2 wireless gear-shifting systems can be hacked, according to research from US universities, but there is already a fix in place for pro teams, and one coming for ordinary users.

As reported in Wired, researchers from UC San Diego and Northeastern University revealed a technique this week that would allow anyone to hack into Di2, using a radio attack. A hacker positioned nine metres away could trigger an attack which would make a bike jump gears or jam the shifters.

Shimano's Di2 shifters communicate with the derailleurs via a radio signal, which can be interfered with, according to the paper, entitled: MakeShift: Security Analysis of Shimano Di2 Wireless Gear Shifting in Bicycles.

Imagine Tadej Pogačar's gears dropping as he wound up for an attack on a climb at the Tour de France, or a similar thing happening to Charlotte Kool as she readied herself for a sprint finish. It could even mean danger.

"The capability is full control of the gears. Imagine you're going uphill on a Tour de France stage: If someone shifts your bike from an easy gear to a hard one, you're going to lose time," Earlence Fernandes, an assistant professor at UCSD’s Computer Science and Engineering Department, told Wired. "Or if someone is sprinting in the big chain ring and you move it to the small one, you can totally crash a person's bike like that.

"This is, in our opinion, a different kind of doping," he said. "It leaves no trace, and it allows you to cheat in the sport."

In order for the attack to happen, the researchers found that the hack needs to intercept the target's shifting signal, and then replay those signals later to cause the issues.

The researchers used a $1500 USRP software-defined radio, an antenna, and a laptop, but said that a $350 piece of kit would work just as well, and it could be used by just about anyone on or near the race.

Even more dangerously, an attack could target all Shimano users at once, benefiting riders on different components, or advantaging one person in particular. 

However, the researchers worked in collaboration with Shimano and the Japanese tech giant has developed a patch update that will close the loophole.

That firmware update has already gone out to all Shimano users in the professional pelotons, but the fix won't be available to ordinary users until later in August.

Cycling Weekly reached out to Shimano for comment, and the brand told us: "Shimano has been working with the researchers to enhance our Di2 wireless communication security for all riders. Through this collaboration, Shimano engineers identified and created a new firmware update to enhance the security of the Di2 wireless communication systems."

The brand added: "The firmware update has already been provided to the women’s and men’s professional race teams and will be available for all general riders in late August. With this release, riders can perform a firmware update on the rear derailleur using our E-Tube Cyclist smartphone app. More information about the update process and the steps riders can take to update their Di2 systems will be made available shortly."

The fix has been promised to the general public "by the end of the month".