Path: ...!news.misty.com!2.eu.feeder.erje.net!feeder.erje.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Jeff Liebermann <jeffl@cruzio.com>
Newsgroups: rec.bicycles.tech
Subject: Re: Jamming Shimano Di2
Date: Sat, 17 Aug 2024 09:14:29 -0700
Lines: 68
Message-ID: <opg1cj5kmiullu25leaaii4redindeohj4@4ax.com>
References: <ona0cjlnpdmjv5c2r6nlm1ubb3mi4jqf55@4ax.com> <v9q3t0$1sfv4$10@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: individual.net 9+TGwOriZTkZxVZfWO0QLwBmwQgG0JV/NdC3kH9mxu5upw0YmV
Cancel-Lock: sha1:Z3XnL/sNiYgAEaTbdagt4/pFU1E= sha256:wxj9+uphGmLWjd5lxpZO+aDlaVbWH2/b8bM0LRha5PQ=
User-Agent: ForteAgent/8.00.32.1272
Bytes: 4156

On Sat, 17 Aug 2024 08:09:03 -0400, zen cycle
<funkmasterxx@hotmail.com> wrote:

>On 8/17/2024 1:06 AM, Jeff Liebermann wrote:
>> Welcome to electronic warfare for bicycle racing.
>> 
>> "High-end racing bikes are now vulnerable to hacking"
>> <https://www.theverge.com/2024/8/14/24220390/bike-hack-wireless-gear-shifters>
>> "They also found it’s possible to disable gear shifting for one
>> particular bike with a targeted jamming attack, rather than impacting
>> all surrounding ones."
>> 
>> "Cybersecurity Flaws Could Derail High-profile Cycling Races"
>> <https://today.ucsd.edu/story/cybersecurity-flaws-could-derail-high-profile-cycling-races>
>> "Attackers can record and retransmit gear-shifting commands, allowing
>> them to control gear-shifting on the bike without the need for
>> authentication via cryptographic keys."
>> 
>> "No, you won't be able to hack pro cyclists' electronic gears"
>> <https://road.cc/content/tech-news/no-you-wont-be-able-hack-pro-cyclists-electronic-gears-309913>
>> "Could one of the world's best professional cyclists lose a bike race
>> because of nefarious hacking or jamming of their electronic shifting?
>> That's the question thrust into the spotlight since US-based
>> researchers revealed a radio attack technique that can target and hack
>> into Shimano Di2, causing a cyclist's gears to change, or even be
>> disabled, via a £175 device up to 10 metres away."
>> 
>> "MakeShift: Security Analysis of Shimano Di2 Wireless Gear Shifting in
>> Bicycles"
>> <https://www.usenix.org/system/files/woot24-motallebighomi.pdf>
>> "...we uncovered the following critical vulnerabilities:
>> (1) A lack of mechanisms to prevent replay attacks that allows an
>> attacker to capture and retransmit gear shifting commands;
>> (2) Susceptibility to targeted jamming, that allows an attacker to
>> disable shifting on a specific target bike;
>> (3) Information leakage resulting from the use of ANT+ communication,
>> that allows an attacker to inspect telemetry from a target bike."
>> 

>something tells me this could get very interesting....

Agreed.  What I find amusing (but not surprising) is that Shimano's
proprietary protocol is seriously lacking:

(1)  It's vulnerable to a replay DoS (denial of service) attack, which
is a very basic security failure that should have been tested.  There
are other possible attacks, which I'm sure the forces of evil are now
furiously testing for additional security issues.

(2)  Reliance on ANT+ security, which has provisions for encryption,
but nothing for cryptographic authentication.  That means the forces
of evil could forge ANT+ packets and impersonate devices.
"Analyzing a low-energy protocol and cryptographic solutions"  (Mar
2015)
<https://courses.csail.mit.edu/6.857/2015/files/camelosa-greene-loving-otgonbaatar.pdf>
At least Shimano's use of BTLE (bluetooth low energy), for Di2 control
and configuration, is fairly secure.

(3)  Security by Obscurity doesn't work for very long.  Shimano and
ANT (owned by Garmin) should publish and perhaps open source their
proprietary protocols in order get help from the cryptographic
community.

-- 
Jeff Liebermann                 jeffl@cruzio.com
PO Box 272      http://www.LearnByDestroying.com
Ben Lomond CA 95005-0272
Skype: JeffLiebermann      AE6KS    831-336-2558