Like any other sport, the world of professional cycling has seen its share of cheaters who have taken performance-enhancing drugs to gain an edge over the competition. Strangely enough, it happens in eSports as well, with some professional teams being accused of taking Adderall during high-pressure matches. Those eSports also include races in virtual cycling, where players ride real bicycles to power online avatars using nothing but muscle. As with any game, there is the possibility of cheating in this area as well but not just through doping, but through hacking as well.
Cybersecurity consultant Brad Dixon from Carve Systems detailed how he managed to cheat in Zwift — a popular training app for cyclists that let users compete against one another, during a talk at this year’s DEF CON. The app requires players to remove the back wheel of their bike and set it in a stationary trainer device that uses sensors and resistance to translate power and speed to the online avatar. Dixon wanted to see if he could manipulate that data traveling from the bike to the Zwift and managed to successfully trick the system into thinking he was superhuman when in reality he wasn’t peddling at all.
Zwift needs to be connected to a PC and requires users to input their height and weight in the app to determine the rider’s output, thus those that weigh less travel faster. While riding, sensors in the device take readings, which are passed to the PC using the ANT+ protocol, which Dixon took advantage of by using the open source USBQ tool kit and a BeagleBone Black to modify those sensor readings. To make the little cyclist on-screen travel faster, Dixon presses a trigger on a wireless Xbox controller, allowing him to walk away from the Zwift platform while putting the avatar in cruise control. While Dixon’s design works well for at-home competitions, it would almost certainly be discovered at public events, certainly if the top rider is at the beer garden and not on the cycle itself.