The researchers are now working with Shimano, one of the leading bicycle component manufacturers, to patch the vulnerabilities. They focused on Shimano because the company has the largest market share for wireless gear shifters. Researchers will present their work at the 18th USENIX WOOT Conference, which will be held on August 12 and 13 in Philadelphia.
The gear shifting system works by deploying wireless links between the gear shifters controlled by the riders and the device that moves chains between gears on the bike, called a derailleur.
The team uncovered three key vulnerabilities within this wireless system:
Attackers can record and retransmit gear-shifting commands, allowing them to control gear-shifting on the bike without the need for authentication via cryptographic keys. The research team successfully conducted record and replay attacks from a distance of up to 10 meters (roughly 10 yards) using off the shelf devices known as software-defined radios, without needing an amplifier to boost signal strength. Recorded data could be reused anytime, provided the bike components remain paired.
Attackers can also easily disable and jam gear shifting on a specific bike without affecting nearby systems, creating significant risks for riders.
The wireless system used a communication protocol, ANT+, which leaks information, allowing attackers to monitor what their target is doing in real-time.
“The history of professional cycling’s struggles with illegal performance-enhancing drugs underscores the appeal of such undetectable attacks, which could similarly compromise the sport’s integrity. Given these risks, it is essential to adopt an adversary’s viewpoint and ensure that this technology can withstand motivated attackers in the highly competitive environment of professional cycling,” researchers add.
Researchers developed several countermeasures to prevent replay attacks, mitigate targeted jamming, and prevent information leakage. Shimano has already implemented some of these measures and a new update will make them widely available soon.
Source link : https://today.ucsd.edu/story/cybersecurity-flaws-could-derail-high-profile-cycling-races
Author :
Publish date : 2024-08-14 15:04:28
Copyright for syndicated content belongs to the linked Source.