Could a pro cyclist lose a race because their power meter has been hacked? Study suggests cyberattacks on smart trainers and cycling computers could manipulate riders’ data and even put them at risk

Is there anything sacrosanct in this pervasively technology-dependent world? Apparently not, according to a researcher who has claimed that pro cycling can be disrupted through cyberattacks on smart trainers and cycling computers via Bluetooth networks — with riders under threat of losing races and even suffering injuries if someone were to compromise their equipment. 

The paper, titled ‘Man-in-the-Middle Attacks on Bluetooth Communication in Virtual Cycling Systems’, is authored by Bastian Wegener and published by an organisation calling itself the ‘Fair E-Racing Alliance’. The paper makes hefty claims about the current safety and security of tech that’s become ubiquitous and essential not just for pro cyclists, but also for many of us amateurs too.

If you’re wondering what a ‘Man-in-the-Middle’ (MitM) attack is, it’s used to refer to a type of cyberattack in which a third actor covertly intercepts communications between two parties, and gains the ability to steal or manipulate data.

With regards to cycling, the paper claims that such an event could allow the attacker to manipulate power data, which can “distort race outcomes and compromise competition integrity”, as well as tamper with control signals such as resistance levels of a smart trainer.

“If these signals are tampered with, riders may experience incorrect resistance levels, potentially leading to ineffective training or safety risks,” the paper says. “Compromising this data can have significant real-world consequences, ranging from unfair advantages in competitive races to potential safety risks for riders.”

Tadej Pogačar on a trainer (Zac Williams/SWpix.com)

Which platforms could be vulnerable to MitM attacks? Wegener claims it could be any device using Bluetooth Low Energy (BLE), a wireless protocol used for connecting cycling trainers with virtual riding platforms or cycling computers. That would mean training platforms like Zwift, MyWhoosh and Rouvy, manufacturers of Bluetooth-enabled hardware like Garmin and Wahoo… the list goes on.

> Academic behind Shimano electronic gears hacking study on why “it’s hard to tell” if wireless doping has taken place in pro cycling

He also suggests that such an attack could “disrupt both virtual and real-world racing events”, adding: “Professional cyclists often use smart trainers for warm-ups before time trials or key races, such as the Tour de France or UCI-sanctioned events. A targeted attack could:

• Distort power data, causing a rider to miscalculate their pacing or effort.
• Modify resistance settings, leading to ineffective warm-ups or unnecessary fatigue.
• Cause delayed or incorrect feedback, reducing confidence in power readings during crucial moments.”

The paper also claims that attacks like these could also open up riders to potential injuries and physical safety risks in virtual cycling. “Unexpected resistance increases could strain muscles or lead to knee injuries”, or “resistance drops mid-effort might cause loss of control, especially during sprint intervals or out-of-saddle efforts,” Wegener writes.

“If power data is manipulated to underreport effort, an athlete may push harder than intended, risking heat exhaustion or cardiovascular stress,” he adds.

One would like to think that natural instinct would kick in if an elite time trial rider wasn't hitting the desired speeds by following numbers displayed by their power meter, or know to hold back if their wattage was suspiciously low during a warm-up on the trainer – but Wegener's suggestions perhaps demonstrate how crucial technology has become at the top of the sport in recent years. 

> Alberto Contador says power meters should be banned in races

Concluding notes suggest that implementing stronger security measures, such as asymmetric encryption, enhanced authentication, and periodic address randomisation, can significantly reduce the likelihood of a successful MitM attack.

“One potential solution is the implementation of configurable security settings, allowing virtual cycling platforms to strengthen security for high-impact events (e.g., races with monetary prizes) or adjust security measures based on the severity of potential risks,” Wegener says.

“This targeted approach ensures that participants with capable hardware are protected, while still allowing the broader community to engage without imposing excessively high-security requirements.”

Has any of this actually happened, and what do cycling tech brands have to say?

Keen fans of pro cycling would remember that this isn’t the first time technological fraud has been cited as a huge potential issue in the sport, both in virtual cycling competition and out on the road or trail.

Cycling esports was catapulted into the news for all the wrong reasons in 2022, when Eddy Hoole of South Africa was caught hacking his own data to facilitate a victory in a qualifying event for the 2023 UCI eSports World Championships, hosted by Zwift at the time. Hoole was suspended by Cycling South Africa and banned from Zwift races for six months, so entered an event on rival virtual cycling platform MyWhoosh in March 2023 - he was swiftly banned from that too. 

In August last year, US-based researchers sent the pro cycling world into a frenzy when they demonstrated that Shimano’s Di2 wireless electronic shifting system, the transmission system of choice for many pros (and amateur riders), could be easily hacked with a radio attack technique, using hardware that cost only £175.

> A “different kind of doping”? Pro cyclists’ electronic gears can be hacked and jammed by attackers with £175 device

The panic was soon tempered by Shimano, with the company confirming that it was working with the researchers to “enhance the communication security for all riders using our Di2 wireless platforms”, a collaboration which led the manufacturer’s engineers to have “identified and created a new firmware update” to deliver on that enhanced security aim.

However, the hacks suggested in this paper are different to the examples cited above. Some of the ways Wegener suggests the claimed vulnerabilities in cycling software and hardware could be manipulated are extreme — we have no evidence that a pro cyclist has ever lost a race or injured themselves trying to follow an inaccurate power meter or heart rate reading because they've had their equipment hacked, and if this did ever play out, it could potentially be a scandal like no other.

But — similar to the ‘wireless doping’ scare that suggested riders’ gears could be altered by a hacker mid-race — is it all just hypothetical?

Chris Snook, Director of PR and Communications at Zwift, told road.cc that there is a “known risk with smart trainer Bluetooth connectivity” and that the tech brand has “controls in place to detect possible interference for our elite-level races”.

He adds: “The biggest risk for this sort of attack exists in live event environments where having more people in a single venue, with multiple connections increases the risk. For such events, WiFi or hardwired connections would be the preferred connection method.

“Due to the limited range of Bluetooth signals, for those riding at home, the likelihood of someone interfering with your trainer connection is almost zero."

road.cc has also contacted Wahoo, MyWhoosh, and Garmin for comment, but did not receive replies at the time of publication.