Path: ...!news.misty.com!2.eu.feeder.erje.net!feeder.erje.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Jeff Liebermann <jeffl@cruzio.com>
Newsgroups: rec.bicycles.tech
Subject: Re: Jamming Shimano Di2
Date: Sat, 17 Aug 2024 11:49:55 -0700
Lines: 119
Message-ID: <o2q1cj5bb877tc764i1o9ddn5nnkhide5h@4ax.com>
References: <ona0cjlnpdmjv5c2r6nlm1ubb3mi4jqf55@4ax.com> <v9q3t0$1sfv4$10@dont-email.me> <opg1cj5kmiullu25leaaii4redindeohj4@4ax.com> <v9qj1f$1v8v2$4@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: individual.net TClduZyQOqUF+5mY4ri+tgZR9Ogk+hZ9zlRFqcI/PfwZXYZi7g
Cancel-Lock: sha1:Z0PN5tm+nBLF22TZjOXED9Ql3WA= sha256:90ILngPSkAW60qCyZxsqBGiMGIcaTUgrWXr2LDoM5X4=
User-Agent: ForteAgent/8.00.32.1272
Bytes: 6903

On Sat, 17 Aug 2024 12:27:26 -0400, zen cycle
<funkmasterxx@hotmail.com> wrote:

>On 8/17/2024 12:14 PM, Jeff Liebermann wrote:
>> On Sat, 17 Aug 2024 08:09:03 -0400, zen cycle
>> <funkmasterxx@hotmail.com> wrote:
>> 
>>> On 8/17/2024 1:06 AM, Jeff Liebermann wrote:
>>>> Welcome to electronic warfare for bicycle racing.
>>>>
>>>> "High-end racing bikes are now vulnerable to hacking"
>>>> <https://www.theverge.com/2024/8/14/24220390/bike-hack-wireless-gear-shifters>
>>>> "They also found it’s possible to disable gear shifting for one
>>>> particular bike with a targeted jamming attack, rather than impacting
>>>> all surrounding ones."
>>>>
>>>> "Cybersecurity Flaws Could Derail High-profile Cycling Races"
>>>> <https://today.ucsd.edu/story/cybersecurity-flaws-could-derail-high-profile-cycling-races>
>>>> "Attackers can record and retransmit gear-shifting commands, allowing
>>>> them to control gear-shifting on the bike without the need for
>>>> authentication via cryptographic keys."
>>>>
>>>> "No, you won't be able to hack pro cyclists' electronic gears"
>>>> <https://road.cc/content/tech-news/no-you-wont-be-able-hack-pro-cyclists-electronic-gears-309913>
>>>> "Could one of the world's best professional cyclists lose a bike race
>>>> because of nefarious hacking or jamming of their electronic shifting?
>>>> That's the question thrust into the spotlight since US-based
>>>> researchers revealed a radio attack technique that can target and hack
>>>> into Shimano Di2, causing a cyclist's gears to change, or even be
>>>> disabled, via a £175 device up to 10 metres away."
>>>>
>>>> "MakeShift: Security Analysis of Shimano Di2 Wireless Gear Shifting in
>>>> Bicycles"
>>>> <https://www.usenix.org/system/files/woot24-motallebighomi.pdf>
>>>> "...we uncovered the following critical vulnerabilities:
>>>> (1) A lack of mechanisms to prevent replay attacks that allows an
>>>> attacker to capture and retransmit gear shifting commands;
>>>> (2) Susceptibility to targeted jamming, that allows an attacker to
>>>> disable shifting on a specific target bike;
>>>> (3) Information leakage resulting from the use of ANT+ communication,
>>>> that allows an attacker to inspect telemetry from a target bike."
>>>>
>> 
>>> something tells me this could get very interesting....
>> 
>> Agreed.  What I find amusing (but not surprising) is that Shimano's
>> proprietary protocol is seriously lacking:
>> 
>> (1)  It's vulnerable to a replay DoS (denial of service) attack, which
>> is a very basic security failure that should have been tested.  There
>> are other possible attacks, which I'm sure the forces of evil are now
>> furiously testing for additional security issues.
>> 
>> (2)  Reliance on ANT+ security, which has provisions for encryption,
>> but nothing for cryptographic authentication.  That means the forces
>> of evil could forge ANT+ packets and impersonate devices.
>> "Analyzing a low-energy protocol and cryptographic solutions"  (Mar
>> 2015)
>> <https://courses.csail.mit.edu/6.857/2015/files/camelosa-greene-loving-otgonbaatar.pdf>
>> At least Shimano's use of BTLE (bluetooth low energy), for Di2 control
>> and configuration, is fairly secure.
>> 
>> (3)  Security by Obscurity doesn't work for very long.  Shimano and
>> ANT (owned by Garmin) should publish and perhaps open source their
>> proprietary protocols in order get help from the cryptographic
>> community.
>> 

>ANT+ was never intended as a control protocol AFAIU.

I beg to differ.  Everything is bi-directional.  Most of the available
ANT profiles include some level of control.  Usually, it's just
calibration, reset, auto-zero etc.  There's even a profile called
"Controls" to control such vital devices as music players,
smartphones, bicycle computers, etc:
<https://www.thisisant.com/developer/ant-plus/device-profiles#517_tab>

In my never humble opinion, Shimano did the right thing to include
both BTLE and ANT+ support in the Di2.  At the time when the Di2 was
first introduced (2001), there were no BTLE devices.  BTLE was
contrived in 2006 (by Nokia) and absorbed by BT 4.0 in 2010.  The
sensor market was almost all ANT+ and very little BTLE.  All the
pundits proclaimed that ANT+ will eventually die and would be replaced
by BTLE.  That would have happened except the first BTLE chips
suitable for replacing ANT+ were expensive and of marginal quality.
Shimano had to wait for the mobile headset market to reduce the price
and the healthcare market to improve the quality.  Shimano had the to
decide which protocol to support or if they should try to do it all
themselves.  They chose to do both ANT+ in order to support the
largest number of available sensors and BTLE do deal with newer
sensors.  The only thing that Shimano has done wrong (besides the high
price of Di2) is failing to explain all this to its customers.
Personally, I don't think ANT+ will ever completely disappear,

>My own experience 
>with it in my Zwift set-up paired to my Wahoo Kickr  showed it to be 
>slow and finicky. User forums complained of similar issues. My set-up 
>worked more accurately and reliably after I switched to the BLE mode.
>
>I could definitely see a scenario where a DS riding in a team car could 
>use a tool that targets a specific rider and keeps forcing the rider 
>into his 12 at seemingly random times.

You might consider being more devious and damaging.  For example,
resetting the calibration on the derailleur will take the victim out
of the race until he can recalibrate.  Or, just reset everything to
default.

>Though it's not anything I'll ever have to worry about, I'll stick with 
>the simplicity and reliabilty of a cable system, thank you.

Luddite.  It is considered an honor to lose (or die) in the name of
progress.

-- 
Jeff Liebermann                 jeffl@cruzio.com
PO Box 272      http://www.LearnByDestroying.com
Ben Lomond CA 95005-0272
Skype: JeffLiebermann      AE6KS    831-336-2558