Hackers Could Take Control Of Your Bike’s Gears - 1

Creator: E Bike Advanced Technologies GmbH

Hackers Could Take Control Of Your Bike’s Gears

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

Security researchers discover critical vulnerabilities in wireless bicycle gear-shifting technology, as reported today by Forbes .

A team of researchers from Northeastern University and UC San Diego reported that gears can be changed or jammed from as far as 32 feet away. By exploiting vulnerabilities in the gear-shifting system, attackers could interfere with cyclists’ ability to control their bikes.

Forbes reported that this could allow attackers to remotely control a cyclist’s gears, potentially causing accidents or giving them an unfair advantage in competitions.

The researchers focused on Shimano Di2 wireless gear-shifting technology, a popular choice among professional cyclists. They found that the system lacks sufficient security measures to prevent replay attacks and jamming. This means that attackers could capture and retransmit gear-shift commands or disable gear-shifting completely.

The researchers point out that the bicycle industry is increasingly adopting wireless gear-shifting technology due to its performance and design benefits.

The researchers found three main security problems with the bike-shifting system. Firstly, hackers can record gear-shifting commands and play them back later to trick the bike into shifting gears without the rider’s input.

Secondly, hackers can use special equipment to block the communication between the rider’s control and the bike, preventing the bike from shifting gears. Finally, they can intercept the wireless communication between the bike and the rider’s control to gather information about the bike’s speed, gear, and other data.

The researchers suggest several strategies to protect the system from hacking. For example, adding timestamps to signals can prevent old messages from being used, but this requires the devices to be perfectly synchronized, which isn’t always easy.

Another approach they suggest is using rolling codes, where each signal has a one-time-use code. This makes it harder for hackers to intercept and reuse commands. They state that this method is commonly used in car key fobs and could be beneficial here as well.

Additionally, they suggest limiting the range at which commands are accepted can prevent remote attacks by ensuring only nearby signals are allowed. However, Shimano’s system doesn’t seem to include the protections above, leaving it vulnerable to attacks.

Forbes reports that the researchers have disclosed their findings to Shimano. The company has not yet provided a public statement. However, it has confirmed that it is working to address the vulnerabilities.

Vulnerability Discovered in WPML, Popular WordPress Multilingual Plugin - 2

Image from Pickpik

Vulnerability Discovered in WPML, Popular WordPress Multilingual Plugin

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

As reported by Cybernews today, WPML , a popular tool for creating multilingual WordPress websites, is vulnerable to cyber-attacks. This security flaw, discovered by security researcher “ stealth copter ,” could allow attackers to execute code remotely on vulnerable websites.

Cybernews notes that WPML, with over a million active installations, is a widely used plugin for managing translations and language switching on WordPress sites. However, the researcher reported that the plugin’s handling of certain content types was susceptible to server-side template injection attacks.

By exploiting this vulnerability, attackers could potentially gain unauthorized access to a website’s server and steal sensitive information, such as passwords, user data, and other confidential information.

“The crafted payload uses the dump function to gather letters needed to construct commands without using quotes. Once we have basic command execution, we can further leverage it to gain more control over the server,” the researcher said in his report.

The researcher demonstrated the vulnerability by successfully executing a malicious shortcode within the WordPress editor. While crafting complex commands might require additional workarounds, the potential consequences of a successful attack are severe.

This incident underscores that security is an ongoing process that demands vigilance throughout all stages of development and data handling.

The researcher concludes that this vulnerability highlights the risks of inadequate input sanitization in templating engines. He advises that developers consistently sanitize and validate user inputs, particularly when rendering dynamic content.

Stealthcopter reported this vulnerability via the Wordfence Bug Bounty Program and received a bounty of $1,639.00, as noted by Wordfence . Wordfence states that this vulnerability has been addressed in version 4.6.13 of WPML and strongly advises users to update their sites to the latest patched version as soon as possible.