web analytics

Researchers Thrust a Virtual Stick Into the Bike Spokes – Source: www.databreachtoday.com

researchers-thrust-a-virtual-stick-into-the-bike-spokes-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Endpoint Security
,
Internet of Things Security

Wireless Gear Shifting System Is Vulnerable to Replay Attacks

Anviksha More (AnvikshaMore) •
August 21, 2024    

Researchers Thrust a Virtual Stick Into the Bike Spokes
These bicycles are close enough to hack. (Image: Shutterstock)

Imagine cruising down a bike path and having the gears suddenly shift without warning. Security researchers say cybercriminals could take advantage of new wireless controlled bicycle gear systems to make that happen – and cause crashes and injuries.

See Also: SASE: Recognizing the Challenges of Securing a Hybrid Workforce

Bicycles may seem to be a last frontier of analog transportation: gears, chain and a derailleur connected by wire to manual shifters. But that’s not so at the high end of biking, where low-energy wireless systems promise digital precision and more data tracking than mere twisted steel wire can offer.

As is so often the case, manufacturers have been quick to think of the advantages offered by wireless connectivity and slow to grasp the potential for hacking. But academics from Northeastern University and the University of California presented a paper earlier this month that examines two wireless gear-shifting systems made by Japanese bike parts titan Shimano.

The researchers found that hackers could execute what’s known as a replay attack – in which a hacker intercepts and records a signal, in this case transmitted from the bike shifters to the receiver embedded into the derailleur. The hackers then retransmits, or replays, the signal. The researchers found that once they recorded a signal that caused the Shimano derailleur to upshift or downshift, they could play it back at any time, since the packets in the signal aren’t time stamped.

Wireless gear systems are now used by top cyclists and cycling teams in events such as the Olympics and the Tour de France, causing worries about undetectable race cheating. Bicycling as a sport already has a less-than-clean reputation thanks to high-profile doping scandals and the more recent problem of “motor doping,” which involves motors hidden inside bikes. The researchers didn’t have to think hard about how replay attacks could be used to boost one rider at the cost of another. “In professional races, any unintended changes to the gear position will have drastic consequences and affect the integrity of the sport,” they said.

To sabotage a biker’s ride, the researchers deployed a software-defined radio, an antenna and a laptop. Their equipment could easily fit in a backpack, meaning the effective range limit from the targeted bicycle is 10 meters.

Study co-author and Northeastern associate professor Aanjhan Ranganathan told Information Security Media Group that encrypting gear change signals wouldn’t be an effective defense. “This is a ‘record and replay’ attack, meaning we do not require to decrypt any communication but simply record and replay it,” he said. The Shimano systems the authors studied do deploy basic encryption to prevent counterfeit signals, but that isn’t a guard against the wholesale retransmission of a downshift or upshift signal. “The derailleur thinks it is originating from the gear shifter,” he said.

Possible defenses proposed by researchers include time-stamping packets. But doing so wouldn’t be easy, since time stamps require “precise synchronization between the devices,” they said. That’s a challenge when separate devices lack a shared time source such as the internet or GPS signals.

Shimano could also employ rolling codes, a preventive measure that wouldn’t remove the possibility of a replay attack but would at least make one harder to execute. A rolling code security system sends a one-time numeric code generated by an algorithm known by the sender and the receiver.

The researchers contacted Shimano, which collaborated to develop a security patch. The company announced a new firmware update, although it told Wired the update so far is available only to professional cycling teams, with availability to public set for later this month. As the magazine says, it’s not clear how customers are supposed deploy the patch.

For every technological advancement that solves an existing problem, new problems are also created. The old system of coiled cables may have not been as precise, said Ranganathan, but “wired systems are hard to attack.”

Original Post url: https://www.databreachtoday.com/researchers-thrust-virtual-stick-into-bike-spokes-a-26107

Category & Tags: –

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
CISO Forum
CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
CISO’s – First 100 Days...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
WILEY
Cybercrime Investigators Handbook by WILEY
Cybercrime Investigators Handbook by WILEY
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

LogRhythm
A Guide to User and Entity Behavior Analytics (UEBA)
A Guide to User and...
BONI YEAMIN
100 Offensive Linux Security Tools
100 Offensive Linux Security Tools
SentinelOne
90 DAYS A CISO’S JOURNEY TO IMPACT
90 DAYS A CISO’S JOURNEY...
ChiefExecutive
Ciberseguridad: Prioridad Estratégica para los CEO.
Ciberseguridad: Prioridad Estratégica para los...
CYBER SECURITY COALITION
CYBER SECURITY INCIDENT MANAGEMENT GUIDE
CYBER SECURITY INCIDENT MANAGEMENT GUIDE
INL/EXT
Cybersecurity for Distributed Wind
Cybersecurity for Distributed Wind
ARTIC WOLF
Cybersecurity Compliance Guide
Cybersecurity Compliance Guide
ESRAA MOHAMAD
ELEARN SECURITY CERTIFIED INCIDENT RESPONSE
ELEARN SECURITY CERTIFIED INCIDENT RESPONSE
DRAGOS
Impact of FrostyGoop ICS Malware on Connected OT Systems
Impact of FrostyGoop ICS Malware...
Victor Tong
Digital Operational Resilience Act – Control Mappings
Digital Operational Resilience Act –...
ARMIS
DORA Resiliency Guide Strengthening Cybersecurity and Operational Resilience in the Financial Sector
DORA Resiliency Guide Strengthening Cybersecurity...
IGNITE Technologies
Docker Penetration Testing
Docker Penetration Testing

More Latest Published Posts

Apress
Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security
Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security
CyberJA
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL COMPONENT OF CYBER RISK MANAGEMENT
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL COMPONENT OF CYBER RISK MANAGEMENT
SOSAFE
CybercrimeTrends 2024 The latest threats and security best practices
CybercrimeTrends 2024 The latest threats and security best practices
Routledge
Cyber Security Politics Socio-Technological Transformations and Political Fragmentation
Cyber Security Politics Socio-Technological Transformations and Political Fragmentation
Cigref
Surviving a Massive cyber-attack by Cigref
Surviving a Massive cyber-attack by Cigref
Hidaia Mahmood Alassouli
Common Windows, Linux and Web Server SystemsHacking Techniques
Common Windows, Linux and Web Server SystemsHacking Techniques
Splunk
SPLUNK® AND THE CIS CRITICALSECURITY CONTROLS Mapping Splunk Software to the CIS 20 CSC Version 6.0
SPLUNK® AND THE CIS CRITICALSECURITY CONTROLS Mapping Splunk Software to the CIS 20 CSC Version 6.0
SOC SIEM Use Cases
SOC SIEM Use Cases
safecode
Six Pillars of DevSecOps- Collaboration and Integration
Six Pillars of DevSecOps- Collaboration and Integration
SentineOne
WatchTower I ntelligence-Driven Threat Hunting
WatchTower I ntelligence-Driven Threat Hunting
CNIL
Security of Personal Data
Security of Personal Data
OPSWAP
Securing ICS SCADA updates OT Environments
Securing ICS SCADA updates OT Environments
Top 300 Azure Sentinel Used Cases KQL (Kusto Query Language) queries
Top 300 Azure Sentinel Used Cases KQL (Kusto Query Language) queries
WITH SECURE
Threat Landscape Update Report
Threat Landscape Update Report
ThreatRadar
Threat Intel Roundup
Threat Intel Roundup
ThreatRadar
Threat Intel Roundup
Threat Intel Roundup
ThreatRadar
Threat Intel Roundup
Threat Intel Roundup
Mihaela Curcă
The Role of Cyber Espionage inInternational Relations
The Role of Cyber Espionage inInternational Relations
GLOBAL NETWORK OF DIRECTOR INSTITUTES
THE FUTURE OF BOARD GOVERNANCE
THE FUTURE OF BOARD GOVERNANCE
Deloitte
The CISO’s Guide to Generative AI
The CISO’s Guide to Generative AI
Capgemini
PROMPT THE FUTURE
PROMPT THE FUTURE
Google
We’re All in this Together
We’re All in this Together
CyberSN
U.S. Cybersecurity Job Posting Data Report
U.S. Cybersecurity Job Posting Data Report
CISA | Cybersecurity and Infrastructure Security Agency
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
McKinsey & Company
Transforming risk efficiency and effectiveness
Transforming risk efficiency and effectiveness
Arnold Antoo
Zero Trust Security Model
Zero Trust Security Model
Richea Perry
Your Cybersecurity Toolkit
Your Cybersecurity Toolkit
IGNITE Technologies
Wireless Penetration Testing
Wireless Penetration Testing