Your Shimano gears can be hacked - but there's a fix coming
The world's best riders were open to manipulation via radio signals, until a team of researches discovered the flaw
Shimano's Di2 wireless gear-shifting systems can be hacked, according to research from US universities, but there is already a fix in place for pro teams, and one coming for ordinary users.
As reported in Wired, researchers from UC San Diego and Northeastern University revealed a technique this week that would allow anyone to hack into Di2, using a radio attack. A hacker positioned nine metres away could trigger an attack which would make a bike jump gears or jam the shifters.
Shimano's Di2 shifters communicate with the derailleurs via a radio signal, which can be interfered with, according to the paper, entitled: MakeShift: Security Analysis of Shimano Di2 Wireless Gear Shifting in Bicycles.
Imagine Tadej Pogačar's gears dropping as he wound up for an attack on a climb at the Tour de France, or a similar thing happening to Charlotte Kool as she readied herself for a sprint finish. It could even mean danger.
"The capability is full control of the gears. Imagine you're going uphill on a Tour de France stage: If someone shifts your bike from an easy gear to a hard one, you're going to lose time," Earlence Fernandes, an assistant professor at UCSD’s Computer Science and Engineering Department, told Wired. "Or if someone is sprinting in the big chain ring and you move it to the small one, you can totally crash a person's bike like that.
"This is, in our opinion, a different kind of doping," he said. "It leaves no trace, and it allows you to cheat in the sport."
In order for the attack to happen, the researchers found that the hack needs to intercept the target's shifting signal, and then replay those signals later to cause the issues.
Get The Leadout Newsletter
The latest race content, interviews, features, reviews and expert buying guides, direct to your inbox!
The researchers used a $1500 USRP software-defined radio, an antenna, and a laptop, but said that a $350 piece of kit would work just as well, and it could be used by just about anyone on or near the race.
Even more dangerously, an attack could target all Shimano users at once, benefiting riders on different components, or advantaging one person in particular.
However, the researchers worked in collaboration with Shimano and the Japanese tech giant has developed a patch update that will close the loophole.
That firmware update has already gone out to all Shimano users in the professional pelotons, but the fix won't be available to ordinary users until later in August.
Cycling Weekly reached out to Shimano for comment, and the brand told us: "Shimano has been working with the researchers to enhance our Di2 wireless communication security for all riders. Through this collaboration, Shimano engineers identified and created a new firmware update to enhance the security of the Di2 wireless communication systems."
The brand added: "The firmware update has already been provided to the women’s and men’s professional race teams and will be available for all general riders in late August. With this release, riders can perform a firmware update on the rear derailleur using our E-Tube Cyclist smartphone app. More information about the update process and the steps riders can take to update their Di2 systems will be made available shortly."
The fix has been promised to the general public "by the end of the month".
Thank you for reading 20 articles this month* Join now for unlimited access
Enjoy your first month for just £1 / $1 / €1
*Read 5 free articles per month without a subscription
Join now for unlimited access
Try first month for just £1 / $1 / €1
Adam is Cycling Weekly’s news editor – his greatest love is road racing but as long as he is cycling, he's happy. Before joining CW in 2021 he spent two years writing for Procycling. He's usually out and about on the roads of Bristol and its surrounds.
Before cycling took over his professional life, he covered ecclesiastical matters at the world’s largest Anglican newspaper and politics at Business Insider. Don't ask how that is related to riding bikes.
-
Late bid to form men’s British Continental team for 2025 fails
Harry Tanfield says he is currently without a ride as fate of potential new team hangs in the balance
By Tom Thewlis Published
-
British Cycling sees 11% decline in membership in less than two years
Governing body focused on revenue growth after another year in the red
By Tom Davidson Published
-
Shimano crankset recall to cost $18million
Japanese bike component giant reports a 24.6% drop in revenue and 52.3% drop in net profit
By Adam Becket Published
-
Trek and Shimano facing legal claim of $2m after cyclist ‘impaled’ by brake lever
Lawsuit alleges 17 counts, including negligent design
By Tom Davidson Published
-
Bikes could soon use AI to think for themselves, Shimano patent suggests
New invention shows automatic seatpost, suspension and saddle adjustments made through machine learning
By Tom Davidson Published
-
Hackers release raft of stolen Shimano data online
The Japanese components company suffered a ransomware attack earlier in November, now its data has been leaked
By Adam Becket Published
-
A love letter to Shimano 105
There might be better groupsets, but why would I want them when I love my trusty 11-speed?
By Adam Becket Published
-
Hackers could leak Shimano's designs to competitors, cyber security expert says
Ransomware attack on Japanese company left it in a "conundrum"
By Adam Becket Published
-
Shimano extends huge Hollowtech crankset inspection programme to Europe amid injury fears
760,000 Hollowtech road cranks recalled in USA and Canada originally
By Adam Becket Last updated
-
Shimano recalls 760,000 cranks after reports of failures resulting in injury
760,000 Hollowtech road cranks recalled in USA and Canada; the programme is expected to be expanded globally
By Adam Becket Published