Re: Jamming Shimano Di2

On Sat, 17 Aug 2024 12:27:26 -0400, zen cycle
<funkmasterxx@hotmail.com> wrote:

On 8/17/2024 12:14 PM, Jeff Liebermann wrote:

On Sat, 17 Aug 2024 08:09:03 -0400, zen cycle
<funkmasterxx@hotmail.com> wrote:
 

On 8/17/2024 1:06 AM, Jeff Liebermann wrote:

Welcome to electronic warfare for bicycle racing.
>
"High-end racing bikes are now vulnerable to hacking"
<https://www.theverge.com/2024/8/14/24220390/bike-hack-wireless-gear-shifters>
"They also found it’s possible to disable gear shifting for one
particular bike with a targeted jamming attack, rather than impacting
all surrounding ones."
>
"Cybersecurity Flaws Could Derail High-profile Cycling Races"
<https://today.ucsd.edu/story/cybersecurity-flaws-could-derail-high-profile-cycling-races>
"Attackers can record and retransmit gear-shifting commands, allowing
them to control gear-shifting on the bike without the need for
authentication via cryptographic keys."
>
"No, you won't be able to hack pro cyclists' electronic gears"
<https://road.cc/content/tech-news/no-you-wont-be-able-hack-pro-cyclists-electronic-gears-309913>
"Could one of the world's best professional cyclists lose a bike race
because of nefarious hacking or jamming of their electronic shifting?
That's the question thrust into the spotlight since US-based
researchers revealed a radio attack technique that can target and hack
into Shimano Di2, causing a cyclist's gears to change, or even be
disabled, via a £175 device up to 10 metres away."
>
"MakeShift: Security Analysis of Shimano Di2 Wireless Gear Shifting in
Bicycles"
<https://www.usenix.org/system/files/woot24-motallebighomi.pdf>
"...we uncovered the following critical vulnerabilities:
(1) A lack of mechanisms to prevent replay attacks that allows an
attacker to capture and retransmit gear shifting commands;
(2) Susceptibility to targeted jamming, that allows an attacker to
disable shifting on a specific target bike;
(3) Information leakage resulting from the use of ANT+ communication,
that allows an attacker to inspect telemetry from a target bike."
>

 

something tells me this could get very interesting....

 
Agreed.  What I find amusing (but not surprising) is that Shimano's
proprietary protocol is seriously lacking:
 
(1)  It's vulnerable to a replay DoS (denial of service) attack, which
is a very basic security failure that should have been tested.  There
are other possible attacks, which I'm sure the forces of evil are now
furiously testing for additional security issues.
 
(2)  Reliance on ANT+ security, which has provisions for encryption,
but nothing for cryptographic authentication.  That means the forces
of evil could forge ANT+ packets and impersonate devices.
"Analyzing a low-energy protocol and cryptographic solutions"  (Mar
2015)
<https://courses.csail.mit.edu/6.857/2015/files/camelosa-greene-loving-otgonbaatar.pdf>
At least Shimano's use of BTLE (bluetooth low energy), for Di2 control
and configuration, is fairly secure.
 
(3)  Security by Obscurity doesn't work for very long.  Shimano and
ANT (owned by Garmin) should publish and perhaps open source their
proprietary protocols in order get help from the cryptographic
community.
 

ANT+ was never intended as a control protocol AFAIU.

I beg to differ.  Everything is bi-directional.  Most of the available
ANT profiles include some level of control.  Usually, it's just
calibration, reset, auto-zero etc.  There's even a profile called
"Controls" to control such vital devices as music players,
smartphones, bicycle computers, etc:
<https://www.thisisant.com/developer/ant-plus/device-profiles#517_tab>

In my never humble opinion, Shimano did the right thing to include
both BTLE and ANT+ support in the Di2.  At the time when the Di2 was
first introduced (2001), there were no BTLE devices.  BTLE was
contrived in 2006 (by Nokia) and absorbed by BT 4.0 in 2010.  The
sensor market was almost all ANT+ and very little BTLE.  All the
pundits proclaimed that ANT+ will eventually die and would be replaced
by BTLE.  That would have happened except the first BTLE chips
suitable for replacing ANT+ were expensive and of marginal quality.
Shimano had to wait for the mobile headset market to reduce the price
and the healthcare market to improve the quality.  Shimano had the to
decide which protocol to support or if they should try to do it all
themselves.  They chose to do both ANT+ in order to support the
largest number of available sensors and BTLE do deal with newer
sensors.  The only thing that Shimano has done wrong (besides the high
price of Di2) is failing to explain all this to its customers.
Personally, I don't think ANT+ will ever completely disappear,

My own experience
with it in my Zwift set-up paired to my Wahoo Kickr  showed it to be
slow and finicky. User forums complained of similar issues. My set-up
worked more accurately and reliably after I switched to the BLE mode.
>
I could definitely see a scenario where a DS riding in a team car could
use a tool that targets a specific rider and keeps forcing the rider
into his 12 at seemingly random times.

You might consider being more devious and damaging.  For example,
resetting the calibration on the derailleur will take the victim out
of the race until he can recalibrate.  Or, just reset everything to
default.

Though it's not anything I'll ever have to worry about, I'll stick with
the simplicity and reliabilty of a cable system, thank you.

Luddite.  It is considered an honor to lose (or die) in the name of
progress.

--
Jeff Liebermann                 jeffl@cruzio.com
PO Box 272      http://www.LearnByDestroying.com
Ben Lomond CA 95005-0272
Skype: JeffLiebermann      AE6KS    831-336-2558