The maker of a popular smart ski and bike helmet has fixed a security flaw that allowed the easy real-time location tracking of anyone wearing its helmets.
Livall makes internet-connected helmets that allow groups of skiers or bike riders to talk with each other using the helmet’s in-built speaker and microphone, and share their real-time location in a friend’s group using Livall’s smartphone apps.
Ken Munro, founder of U.K. cybersecurity testing firm Pen Test Partners, said Livall’s smartphone apps had a simple flaw allowing easy access to any group’s audio chats and location data. Munro says the two apps, one for skiers and one for bike riders, collectively have about a million users.
At the heart of the bug, Munro found that anyone using Livall’s apps for group audio chat and sharing their location must be part of the same friends group, which could be accessed using only that group’s six-digit numeric code.
“That 6-digit group code simply isn’t random enough,” Munro said in a blog post describing the flaw. “We could brute force all group IDs in a matter of minutes.”
In doing so, anyone could access any of the 1 million possible permutations of group chat codes.
“As soon as one entered a valid group code, one joined the group automatically,” said Munro, adding that this happened without alerting other group members.
“It was therefore trivial to silently join any group, giving us access to any users’ location and the ability to listen in to any group audio communications,” said Munro. “The only way a rogue group user could be detected was if the legitimate user went to check on the members of that group.”
Munro and his security research colleagues are no strangers to finding obscure but often simple flaws in internet-connected products, like car alarms, dating apps and sex toys. The firm found in 2021 that Peloton was exposing riders’ private account data because of a leaky API, in which TechCrunch proudly played guinea pig.
After reaching out to Livall, which asked for more information, Munro sent details of the flaw on January 7 but did not hear back, and received no acknowledgement from the company.
Given the risk to users with no expectation that the flaw would be fixed, Munro alerted TechCrunch to the flaw and TechCrunch contacted Livall for comment.
When reached by email, Livall founder Bryan Zheng committed to fixing the app within two weeks of our email but declined to take down the Livall apps in the interim.
TechCrunch held this report until Livall confirmed it had fixed the flaw in app updates that were released this week.
In an email, Livall’s R&D director Richard Yi explained that the company improved the randomness of group codes by also adding letters, and including alerts for new members joining groups. Yi also said the app now allows the shared location to be turned off at the user level.