Security flaw in a popular smart helmet allowed silent location tracking


Share post:

The maker of a popular smart ski and bike helmet has fixed a security flaw that allowed the easy real-time location tracking of anyone wearing its helmets.

Livall makes internet-connected helmets that allow groups of skiers or bike riders to talk with each other using the helmet’s in-built speaker and microphone, and share their real-time location in a friend’s group using Livall’s smartphone apps.

Ken Munro, founder of U.K. cybersecurity testing firm Pen Test Partners, said Livall’s smartphone apps had a simple flaw allowing easy access to any group’s audio chats and location data. Munro says the two apps, one for skiers and one for bike riders, collectively have about a million users.

At the heart of the bug, Munro found that anyone using Livall’s apps for group audio chat and sharing their location must be part of the same friends group, which could be accessed using only that group’s six-digit numeric code.

“That 6-digit group code simply isn’t random enough,” Munro said in a blog post describing the flaw. “We could brute force all group IDs in a matter of minutes.”

In doing so, anyone could access any of the one million possible permutations of group chat codes.

“As soon as one entered a valid group code, one joined the group automatically,” said Munro, adding that this happened without alerting other group members.

“It was therefore trivial to silently join any group, giving us access to any users’ location and the ability to listen in to any group audio communications,” said Munro. “The only way a rogue group user could be detected was if the legitimate user went to check on the members of that group.”

Munro and his security research colleagues are no strangers to finding obscure but often simple flaws in internet-connected products, like car alarms, dating apps, and sex toys. The firm found in 2021 that Peloton was exposing riders’ private account data because of a leaky API, in which TechCrunch proudly played guinea pig.

After reaching out to Livall, which asked for more information, Munro sent details of the flaw on January 7 but did not hear back, and received no acknowledgement from the company.

Given the risk to users with no expectation that the flaw would be fixed, Munro alerted TechCrunch to the flaw and TechCrunch contacted Livall for comment.

When reached by email, Livall founder Bryan Zheng committed to fixing the app within two weeks of our email but declined to take down the Livall apps in the interim.

TechCrunch held this report until Livall confirmed it had fixed the flaw in app updates that were released this week.

In an email, Livall’s R&D director Richard Yi explained that the company improved the randomness of group codes by also adding letters, and including alerts for new members joining groups. Yi also said the app now allows the shared location to be turned off at the user level.

Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

NFX’s James Currier will break down MVPs at TechCrunch Early Stage 2024

Everyone has heard of minimum viable products (MVPs), early versions of a future startup’s product that contains...

Elon Musk sues OpenAI and Sam Altman over ‘betrayal’ of non-profit AI mission

Elon Musk sued OpenAI, its co-founders Sam Altman and Greg Brockman and affiliated entities on Thursday, alleging...

Facebook plans to shut down its news tab in the U.S. and Australia

Meta is trying to distance itself from news media-related regulations and payment complexities as it is planning...

Google to remove some Indian apps over Play Store fees violation

Google has warned it will begin removing apps in India from its Play Store if developers do...

Intuitive Machines’ first moon lander also broke ground with safer, cheaper rocket-style propulsion

Intuitive Machines’ first lunar lander officially lost power today after spending seven days on the moon. The...

Lordstown Motors charged with misleading investors about the sales potential of its EV pickup

The Securities and Exchange Commission has charged bankrupt Lordstown Motors with misleading investors about the sales prospects...

A minor league baseball team trolls Disney with its ‘Steamboat Willie’ jerseys

I’ve seen enough: The prize for the best use of public domain Mickey Mouse goes to the...

Fisker is laying off 15% of staff and says it needs more cash ahead of a “difficult year”

Electric vehicle startup Fisker is planning to lay off 15% of its workforce and says it likely...