Endpoint Security , Internet of Things Security
Researchers Thrust a Virtual Stick Into the Bike Spokes
Wireless Gear Shifting System Is Vulnerable to Replay AttacksImagine cruising down a bike path and having the gears suddenly shift without warning. Security researchers say cybercriminals could take advantage of new wireless controlled bicycle gear systems to make that happen - and cause crashes and injuries.
See Also: Securing Enterprise IoT: Advanced Threats and Strategies to Respond
Bicycles may seem to be a last frontier of analog transportation: gears, chain and a derailleur connected by wire to manual shifters. But that's not so at the high end of biking, where low-energy wireless systems promise digital precision and more data tracking than mere twisted steel wire can offer.
As is so often the case, manufacturers have been quick to think of the advantages offered by wireless connectivity and slow to grasp the potential for hacking. But academics from Northeastern University and the University of California presented a paper earlier this month that examines two wireless gear-shifting systems made by Japanese bike parts titan Shimano.
The researchers found that hackers could execute what's known as a replay attack - in which a hacker intercepts and records a signal, in this case transmitted from the bike shifters to the receiver embedded into the derailleur. The hackers then retransmits, or replays, the signal. The researchers found that once they recorded a signal that caused the Shimano derailleur to upshift or downshift, they could play it back at any time, since the packets in the signal aren't time stamped.
Wireless gear systems are now used by top cyclists and cycling teams in events such as the Olympics and the Tour de France, causing worries about undetectable race cheating. Bicycling as a sport already has a less-than-clean reputation thanks to high-profile doping scandals and the more recent problem of "motor doping," which involves motors hidden inside bikes. The researchers didn't have to think hard about how replay attacks could be used to boost one rider at the cost of another. "In professional races, any unintended changes to the gear position will have drastic consequences and affect the integrity of the sport," they said.
To sabotage a biker's ride, the researchers deployed a software-defined radio, an antenna and a laptop. Their equipment could easily fit in a backpack, meaning the effective range limit from the targeted bicycle is 10 meters.
Study co-author and Northeastern associate professor Aanjhan Ranganathan told Information Security Media Group that encrypting gear change signals wouldn't be an effective defense. “This is a 'record and replay' attack, meaning we do not require to decrypt any communication but simply record and replay it," he said. The Shimano systems the authors studied do deploy basic encryption to prevent counterfeit signals, but that isn't a guard against the wholesale retransmission of a downshift or upshift signal. "The derailleur thinks it is originating from the gear shifter," he said.
Possible defenses proposed by researchers include time-stamping packets. But doing so wouldn't be easy, since time stamps require "precise synchronization between the devices," they said. That's a challenge when separate devices lack a shared time source such as the internet or GPS signals.
Shimano could also employ rolling codes, a preventive measure that wouldn't remove the possibility of a replay attack but would at least make one harder to execute. A rolling code security system sends a one-time numeric code generated by an algorithm known by the sender and the receiver.
The researchers contacted Shimano, which collaborated to develop a security patch. The company announced a new firmware update, although it told Wired the update so far is available only to professional cycling teams, with availability to public set for later this month. As the magazine says, it's not clear how customers are supposed deploy the patch.
For every technological advancement that solves an existing problem, new problems are also created. The old system of coiled cables may have not been as precise, said Ranganathan, but "wired systems are hard to attack."