“The Tour de France needs to do a proper security review”: Academic behind Shimano electronic gears hacking study on why “it’s hard to tell” if wireless doping has taken place in pro cycling – and why us amateurs shouldn’t be worried

For episode 84 of the road.cc Podcast, we took a deep dive into one of the more curious, and headline grabbing, cycling tech studies of recent years – which discovered that your bike’s electronic shifters may be susceptible to hackers, who could even be lurking at the Vuelta a España, waiting to sabotage Primož Roglič’s next move to the big ring.

Listen to the road.cc Podcast on Apple Podcasts
Listen to the road.cc Podcast on Spotify
Listen to the road.cc Podcast on Amazon Music

That study, published earlier this month by three US-based cyber security experts, explored the security features of Shimano’s Di2 electronic shifting systems, the current most common method of changing gears in the pro peloton.

The researchers rather worryingly concluded, through a black box analysis of Shimano’s systems and a roadside experiment, that they can be hacked by a relatively simple and cheap radio technique – one that potentially has the power to allow nefarious individuals by the roadside or in the peloton itself to change or jam a rival’s gears without their knowledge during a race, in a bid to scupper their chances of victory.

> A “different kind of doping”? Pro cyclists’ electronic gears can be hacked and jammed by attackers with £175 device, leaving “no trace” and allowing rivals to cheat, researchers say

Of course, as anyone who’s even accidentally switched over to pro cycling on the TV knows all too well, cheating and trying to one-up your rivals through illegal, dirty deeds is an integral part of the sport’s history: from Maurice Garin allegedly taking a train at the 1904 Tour to the cocktail of drugs that sustained the likes of Coppi and Anquetil, and the heavy duty blood doping of the 1990s and 2000s.

But, setting aside fridges and fridges of blood bags, this new threat of ‘wireless doping’ only adds to the spectre of technological cheating that has reared its head over the last decade, with persistent allegations of hidden motors swirling around the peloton.

So, this latest study – which for the first time, seems to indicate that pro cyclists could gain an advantage not by making themselves go artificially faster but by slowing down or even stopping their rivals – has certainly rang some alarm bells throughout the cycling world.

Faced with the prospect that their wireless gears can be easily hacked, Shimano last week confirmed that they’ve come up with a firmware fix now being used by all pros at the Vuelta and Tour de France Femmes, and available to all customers by the end of August (SRAM and Campagnolo, who were not part of the study conducted by the academics, are yet to comment).

> No, you won't be able to hack pro cyclists' electronic gears — Shimano shuts down cheating concerns over £175 jamming device, with immediate firmware update to "enhance security" already in use by pro cycling teams

But does wireless doping pose proper existential threat to the cycling world?

To find that out, we spoke to one of the researchers behind the much-talked-about Di2 analysis, Dr Earlence Fernandes, from the University of California in San Diego.

In this week’s podcast episode, Ryan chats to Earlence, a cyclist himself, about what inspired him to delve into the security set-ups and flaws of wireless shifting, how hacking someone’s gears actually works, his subsequent interactions with Shimano, and how pervasive he thinks the threat of wireless doping could be to both the pro cycling world and us weekend warriors out on a Saturday group ride.

“It’s hard to tell if people are actually using things like this,” Dr Fernandes said when asked whether his experiment could possibly be repeated in the peloton.

“It’s possible hackers know about these vulnerabilities but don’t talk about it. That certainly happens in the computer security community more broadly, people exploit these vulnerabilities in the dark without the public knowing. But for cycling specifically, I don’t know.”

But what about those non-pro cyclists who’ve moved over to electronic shifting – are they in danger of being hacked?

“I think non-professional cyclists have nothing to worry about,” he reassures us. “I find it very hard to believe that on my Saturday group ride, someone is out to get me by hacking my shifters. That just seems like a threat that’s very, very small.

“In a very competitive sporting environment, it’s by definition adversarial. On your group ride, there might be anti-cycling activists who might want to sabotage you in this way. But the attack requires at least some level of sophistication, so I’m not sure how sophisticated or motivated these anti-cycling activists are.”

> 10 things you didn't know your electronic groupset could do! How to get the most out of Shimano Di2 and SRAM AXS

Despite his assurances, Earlence is also convinced that cycling’s biggest races and the UCI need to get out ahead of the game when it comes to tackling possible cyber hackers, including beyond Di2.

“There’s a lot of technology at these events,” he notes.

“The bikes themselves are just one piece of it, but if you think about the actual race, there’s a lot of technology operating there.

“And someone needs to do a proper security review – the Tour de France, the Giro, the Vuelta, they need actual security professionals to look into this kind of thing. And I hope for their sake they do!”

The road.cc Podcast is available on Apple Podcasts, Spotify, and Amazon Music, and if you have an Alexa you can just tell it to play the road.cc Podcast. It’s also embedded further up the page, so you can just press play.