BOOK THIS SPACE FOR ADARTICLE AD
According to cybersecurity firm Pen Test Partners, Livall’s smart helmets had an inherent flaw that could lead to the leaking of critical, sensitive user information including location data.
The emergence of smart ski tech like Oakley/Recon goggles and smart ski helmet speakers have made skiing or biking a lot more fun but the dangers posed by internet-connected devices cannot be overlooked.
The latest security and privacy issues with smart helmets and other internet-connected gadgets were highlighted in research conducted by UK-based cybersecurity testing firm Pen Test Partners (PTP).
According to PTP, Livall’s smart helmets have an inherent security vulnerability that can lead to the leaking of critical, sensitive user data. For your information, Livall is famous for smart ski and bike helmets. Its smart helmets allow groups of skiers/bikers to communicate using the built-in speaker and microphone and share their location-related information in a group using any of the two Livall’s smartphone apps. One of the apps is for bike riders and the other for skiers, both collectively boasting around a million users.
However, according to Pen Test Partners’ researcher Ken Munro, the security vulnerability allows easy access to any group’s audio chats and location data. Livall’s apps for group audio chat and location sharing require users to be part of the same friends’ group, which can only be accessed using a six-digit numeric code. Munro stressed that the code is not random enough, allowing anyone to access any of the 1 million possible group chat codes.
“That 6-digit group code simply isn’t random enough. We could brute force all group IDs in a matter of minutes,” Munro wrote in the blog post.
This is where the vulnerability occurs. A group code can be entered automatically, allowing a user to join without alerting other members. This allows access to users’ location and audio communications. A rogue group user can only be detected if a legitimate user checks on group members.
No Response from Livall to PTP
Here, it is worth noting that according to researchers, several attempts were made to contact Livall, but no response was received. Then, PTP contacted Tech Crunch’s Zack Whittaker on 22 January to get in touch with Livall.
Whittaker agreed to discuss issues with their bike app, which had more flaws than the ski app. Livall’s CEO responded to Whittaker on 23 January and asked for two weeks to fix the problem. On 5 February, Whittaker was informed that the app was updated with stronger join codes.
Meanwhile, IoT device users must exercise caution as the trend of hijacking smart devices and apps is gaining momentum alarmingly quickly. In a recent report, Hackread.com highlighted another shocking discovery by Pen Test Partners, revealing a critical issue in the Airbus Flysmart+ Manager suite.
The app, developed by Airbus-owned IT services company NAVBLUE, had a disabled security control, allowing it to communicate with servers using insecure methods, potentially allowing an attacker to modify aircraft performance data or adjust airport information. Researchers informed Airbus about the flaw in June 2022, and it was fixed in February 2023.
Experts Weigh In
To gain insights into this issue and vulnerabilities in IoT devices, we reached out to Adam Pilton, a Cybersecurity Consultant at CyberSmart and former Detective Sergeant who investigated cybercrime at Dorset, England Police.
“The vulnerabilities discovered in Livall helmets have been addressed, but this research prompts crucial considerations. Manufacturers must ensure strong security measures, yet users must also understand the risks of granting permissions to apps, said Adam.
“Whilst leading the Police Cyber Crime Team I saw many cases in which simple flaws such as this one, were exposed,” Adam explained. “This led to breaches of privacy, enabled crimes such as domestic abuse and often was the first step in a series of events that led to a significant cyber attack.”
“Timely responses from manufacturers are vital, as delays can exacerbate security risks. Collaboration and transparency are essential in the field of cybersecurity,” he advised.