Introduction
Livall, the maker of popular smart ski and bike helmets, has fixed a critical security flaw that allowed anyone to easily track the real-time location of users wearing their helmets. The vulnerability was discovered by Ken Munro, founder of U.K.-based cybersecurity testing firm Pen Test Partners.
Background on Livall Helmets
Livall’s internet-connected helmets enable groups of skiers or bike riders to communicate with each other using built-in speakers and microphones. Users can also share their real-time location within a friend’s group using the company’s smartphone apps. With over one million users across two separate apps (one for skiing and one for biking), Livall’s products have become a popular choice among outdoor enthusiasts.
The Security Flaw
Ken Munro, who has a reputation for uncovering simple yet critical flaws in internet-connected products, discovered that the Livall smartphone apps had a basic vulnerability. To exploit this flaw, an attacker only needed to guess the six-digit numeric code used to access group audio chats and location sharing. According to Munro:
"That 6-digit group code simply isn’t random enough… We could brute force all group IDs in a matter of minutes."
With this information, anyone could access any of the one million possible permutations of group chat codes.
How the Flaw Worked
When an attacker entered a valid group code, they would automatically be added to the group without alerting other members. This allowed them to silently join any group and gain access to users’ location data and listen in on audio communications. The only way for legitimate group members to detect a rogue user was if they checked the group’s membership list.
The Discovery of the Flaw
Munro and his security research colleagues at Pen Test Partners have a history of finding vulnerabilities in internet-connected products, including car alarms, dating apps, and sex toys. In 2021, they discovered that Peloton was exposing riders’ private account data due to a leaky API.
When Munro reached out to Livall with details of the flaw on January 7th, he received no response or acknowledgement from the company. TechCrunch alerted Livall to the potential risk to users and contacted the company for comment.
Livall’s Response
After being informed by TechCrunch about the security flaw, Livall founder Bryan Zheng committed to fixing the app within two weeks of receiving the email. However, he declined to remove the apps from the market until the fix was implemented. The flaw was eventually fixed in an update released by Livall this week.
Livall’s Explanation and Fix
In an email to TechCrunch, R&D director Richard Yi explained that the company had improved the randomness of group codes by incorporating letters and adding alerts for new members joining groups. Additionally, users now have the option to turn off location sharing at their own level.
Conclusion
The security flaw discovered in Livall’s smart helmets highlights the importance of prioritizing user safety in internet-connected products. The simplicity of the vulnerability raises concerns about the potential risks associated with connected devices and the need for manufacturers to take proactive measures to secure their products.
As the world becomes increasingly dependent on technology, it is crucial that companies prioritize security and user safety. By doing so, we can minimize the risk of vulnerabilities like this one being exploited and protect users from potential harm.
Recommendations
To ensure user safety, Livall and other manufacturers should:
- Prioritize security: Regularly conduct thorough security audits to identify potential vulnerabilities.
- Implement robust authentication methods: Use a combination of alphanumeric codes and alerts to prevent unauthorized access.
- Provide transparency: Clearly communicate with users about the measures being taken to address vulnerabilities.
- Regularly update products: Release updates that fix known vulnerabilities and improve overall security.
By taking these steps, companies can minimize the risk of security flaws like this one being exploited and protect their users from potential harm.
Related Stories
