The manufacturer of a popular smart ski and bike helmet has addressed a security vulnerability that permitted easy real-time tracking of individuals wearing its helmets.
Livall produces internet-connected helmets that enable groups of skiers or bikers to communicate through the helmet’s built-in speaker and microphone, and share their real-time location within a friend’s group using Livall’s smartphone apps.
According to Ken Munro, founder of the U.K.-based cybersecurity testing firm Pen Test Partners, Livall’s smartphone apps contained a straightforward flaw that allowed unauthorized access to any group’s audio chats and location data. Munro stated that the two apps, one for skiers and another for bikers, collectively boast about a million users.
At the crux of the issue, Munro discovered that users employing Livall’s apps for group audio chats and location sharing needed to be part of the same friends group, which could be accessed solely through that group’s six-digit numeric code.
“That 6-digit group code simply isn’t random enough,” Munro explained in a blog post detailing the flaw. “We could brute force all group IDs in a matter of minutes.”
By doing so, any individual could potentially access any of the 1 million possible permutations of group chat codes.
“As soon as one entered a valid group code, one joined the group automatically,” Munro elaborated, noting that this occurred without alerting other group members.
“It was therefore trivial to silently join any group, giving us access to any users’ location and the ability to listen in to any group audio communications,” Munro continued. “The only way a rogue group user could be detected was if the legitimate user went to check on the members of that group.”
Munro and his security research colleagues have a history of identifying obscure but often straightforward flaws in internet-connected products, including car alarms, dating apps, and sex toys. In 2021, the firm revealed that Peloton was exposing riders’ private account data due to a leaky API, with TechCrunch serving as the test subject.
After contacting Livall, which requested further details, Munro provided information about the flaw on January 7 but received no response or acknowledgment from the company.
Recognizing the potential risk to users in the absence of a resolution, Munro alerted TechCrunch to the flaw, prompting TechCrunch to reach out to Livall for comment.
Upon contact via email, Livall founder Bryan Zheng committed to fixing the app within two weeks of TechCrunch’s email but declined to remove the Livall apps in the meantime.
TechCrunch delayed publication of the report until Livall confirmed the flaw had been addressed in app updates released this week.
In an email response, Livall’s R&D director Richard Yi outlined that the company enhanced the randomness of group codes by incorporating letters and introduced alerts for new group members. Yi also noted that the app now permits users to disable shared location at the individual level.
fantastic
ReplyDelete