Computer scientists at the University of California, San Diego and Northeastern University have successfully hacked a Shimano Di2 and concluded that wireless groupset is not as secure as previously thought.

Using devices known as signal jammers and software-defined radios, the researchers were not only able to remotely make unintended shifts, but also to stop the groupset from working altogether.

The trio, consisting of Maryam Motallebighomi, Earlence Fernandes, and Aanjhan Ranganathan, stated that the devices could be used maliciously in big races like the Tour de France to gain undue advantage. [Security vulnerabilities in wireless shifting systems can have a critical impact on rider safety and performance, especially in professional bicycle races. In these races, attackers can exploit these vulnerabilities to gain an unfair advantage and manipulate gear shifts or interfere with shifting maneuvers, causing crashes and injuries.”

In their study, the researchers chose the Japanese brand Shimano, considered the market leader, for their analysis, focusing on its 105 Di2 and Dura-Ace Di2 groupset.

Through a “black box analysis” of Shimano's wireless protocols, they found three major vulnerabilities. [...] [...] [...] [...] [...] [...] [...] [...] [...] [...] [...] [...] [...] [...] [...]

Shimano also added that the update will be available to pro teams, with a firmware patch for consumers to follow.

“The firmware update is already available to women's and men's pro race teams and will be available to all public riders in late August. With this release, riders will be able to update their rear derailleur firmware using the E-TUBE Cyclist smartphone app. More information on the update process and the steps riders can take to update their Di2 systems will be available soon.”

Cycling News also asked both Shimano and SRAM if they were aware of any actual instances of groupset hacking for competitive advantage, but so far neither has responded.