The Internet of Things has made it possible for you to dispose of your cat’s poop with the click of a button, close your garage door with your phone, and even use utensils that vibrate when you’re about to choke, but it’s also made it possible for hackers to mess with pretty much every aspect of your life. This is a problem that extends even to the average racing bicycle. New research suggests that certain brands of bike parts have vulnerabilities that could allow them to be remotely compromised during competitions.
The research was unveiled this week at the Usenix Workshop on Offensive Technologies by researchers from Northeastern University and UC San Diego. In their paper, researchers note that, much like modern cars, today’s bicycles are “cyber-physical systems that contain embedded computers and wireless links to enable new types of telemetry and control.” One of the more common cyber-connected systems is the wireless gear shifter, which uses electronic switches instead of traditional control levers to allow bikers shift gears. Researchers tested shifters sold by Shimano, a Japanese company that is one of the larger cycling parts sellers in the world. Unfortunately, researchers found that Shimano’s shifters are vulnerable to simple “replay attacks” of the sort that are frequently targeted at car fobs. Such attacks, which utilize a radio signal manipulation, allow attackers to capture and weaponize data wirelessly exchanged by hardware parts. In this case, attackers could use such an attack to “unexpectedly shift gears or to jam its shifters and lock the bike into the wrong gear,” Wired writes. Radio hardware necessary to carry out such an attack is relatively inexpensive.
“Security vulnerabilities in wireless gear-shifting systems can critically impact rider safety and performance, particularly in professional bike races,” researchers’ paper notes. “In these races, attackers could exploit these weaknesses to gain an unfair advantage, potentially causing crashes or injuries by manipulating gear shifts or jamming the shifting operation.” Obviously cheating is common in athletic competitions, so a hackable bicycle would definitely be something to worry about for competitive racers. Researchers highlight this point: “The history of professional cycling’s struggles with illegal performance-enhancing drugs underscores the appeal of such undetectable attacks, which could similarly compromise the sport’s integrity,” they write. “Given these risks, it is essential to adopt an adversary’s viewpoint and ensure that this technology can withstand motivated attackers in the highly competitive environment of professional cycling.”
Gizmodo reached out to Shimano for comment. Last year, the company was the victim of a ransomware attack and, after refusing to pay, had several terabytes of its corporate data spilled onto the internet by the hackers.