To carry out that eavesdrop-and-replay attack, the researchers used a $1500 USRP software-defined radio, an antenna, and a laptop.
Just what I carry on a ride.
Discussed here: https://www.trainerroad.com/forum/t/wireless-shifting-vulnerable-to-jamming-interference/95375/22
Most of the strange rabbit holes already cleared. 
Did anyone think these things were secure? I guess if this actually becomes a problem the easiest solution would be to move back to wires. Itâs just signalling (so pretty thin wire), it canât be that big an engineering problem to route them through, even if itâs more expensive than wireless.
Encryption would work too but would increase power requirements, wouldnât stop jamming attacks, and might be unlawful in some jurisdictions.
But I doubt it will be a problem in practice.
2 Likes
Are you talking Di2 or enterprise SaaS? 
2 Likes
Dear DI2 derailleur owner,
We have noticed some unexpected activity.
Please click the link below to verify your contact information to avoid your derailleur being locked out.
10 Likes
Shimano have issued updated firmware they claim to have resolved the identified issues.
A few observations/thoughts on thisâŚ
- They screwed up the initial firmware roll-out this time last week.
- Coverage of this paper hit Forbes, The Verge, WIRED, etc⌠the fix? Zero mention of it anywhere.
- There has been no communication from Shimano to 12spd Di2 owners (those whoâve registered an account via E-Tube Mobile).
- Thereâs no mention of this update on the Shimano technical forums (S-TEC). Theyâre more interested in promoting âFlash Salesâ than this critical (to some) update.
I really expected more from Shimano on this one. Although I am not surprised.
7 Likes
Proof of concepts always are, itâs convenient. But no reason it couldnât be shrunk to a matchbox size and cost pennies.
I saw your video. Are they running away from it because of a fear of lawsuits, or are they just that inept dealing with their electronic products. Like their power meters, but then there is their cranksets, yikes! Is it upper management? They have a lot of the market by default, but their competition hasnât been that great in the past either. The big road brake fiasco being one where they stumbled. I guess we have to accept some of this, and hope we are âmade rightâ at the end.
Thanks for all your work for cycling.
WhateverâŚ
Iâm using the forum incorrectly. I was waxing philosophical and commenting on the world in general, but it doesnât have much to do with cycling.
Joe Lindsey quoted one tech guy who had the best line - security through obscurity.
1 Like
99.999999999% of people can ignore this vulnerability. The only potential folks who could be hit with this are pros at the very top.
The only potential risk for average riders would be someone setting up a DOS (denial of shifting) attack in an area because they donât like cyclists.
2 Likes
You canât even buy a decent bike for that. How much did the rider spend to put a wireless groupset on his bike? And thatâs not nearly as performance-enhancing as being able to shift your opponentâs bike.
1 Like
Just as the use of floppy discs is deemed secure in some U.S. missile silos, Iâm going to hang onto my mechanical shifters a little while longer.
I donât need the Russians or Iranians hacking me.
2 Likes
Funny
In the 70âs I worked for an electronics company that sold computer equipment to the Navy. It was for shipboard use. It did use 8â floppyâs.
1 Like