I work in tech so I’m only surprised this wasn’t done sooner against eTap.
https://www.wired.com/story/shimano-wireless-bicycle-shifter-jamming-replay-attacks/
Should be fun on my next group ride!
Another argument for sticking with my old school wired Ultegra Di2.
The firmware update may prevent taking control of your derailleur, but I don’t see how it will address someone using a jammer. So the pro peleton will probably continue to have wired setups available.
Agree, the jamming attack is almost certainly not patchable. The paper also mentions eavesdropping on ANT+. It seems like that’s something pro teams could be quite interested in. Imagine the UAE team car having a real time feed of Vingegaard’s heart rate and power output.
I bet Joe Grand could build a module that is small enough to be hidden inside a rider’s radio unit (or elsewhere), captures other riders ANT+ and relays the data to the team car. You could also just have a couple people with HackRFs on sections of the major climbs, capturing data and agreed upon code words for actions. “The pizza is ready”; attack.
The ANT+ protocol does support AES encryption but it’s an optional feature as I recall.
Eavesdropping on ANT+ is old and easy. I do it with a WASP for around 10 years now. The frequencies of SRAM and Shimano wireless stuff are narrow and known, jamming is easy.
Using encryption increases power consumption and so it’s reasonable to guess that most device manufacturers, who make the heart rate monitors or power meters, probably don’t do much in the way of encryption. (Based on your comments, I am sure you two know that but just stating it for sake of conversation.)
I was slightly disappointed the researchers didn’t extract the firmware and reverse engineer it. Anyway, good project for someones’ next BlackHat talk. It would be cool to have a blip with patched firmware that does the replay attack and shifts the other guy’s bike.
The other reason not to bother spying, is ANT+ and BLE have a short range - certainly shorter than the length of the peloton in a grand tour. So to spy on that data, it would be most likely be another rider doing it. And if you’re 1 on 1 with a well matched opponent, you have a rough idea of his power anyhow.
But messing with shifting could have a sudden effect for launching an attack. Or even a spectator with bad intentions could cause a crash on a bunch sprint. I think the latter is more of a risk than one of the teams using it to cheat.
…I think the latter is more of a risk than one of the teams using it to cheat.
Yep, no way would any teams deliberately do anything to improve their chances of winning at the risk of damaging the integrity of the sport. Would never happen.
…I think the latter is more of a risk than one of the teams using it to cheat.
Yep, no way would any teams deliberately do anything to improve their chances of winning at the risk of damaging the integrity of the sport. Would never happen.
Ars Technica covered the hack in some detail. In the comments,
one of the teams in the tour this year showed up with a antenna-strewn “command center” which the organizers promptly told them to GTFO since they assumed they were sniffing all the ANT+ and BLE powermeter signals to gain an advantage. Just about every commercial powermeter broadcasts in the blind over ANT+ with no handshakes needed, so it’d be easy to slurp up everyone’s power numbers if you had a nice high-gain antenna pointed at the peloton from the team car.
can’t verify this of course, but I would not be surprised…