Whoops: ‘Smart’ Helmet Allowed Real Time Surveillance And Location Tracking Of A Million Customers
from the dumb-is-smart dept
Makers of new “smart” technologies keen on reinventing the wheel keep inadvertently sending the same message: sometimes dumber technology is smarter.
The latest case in point: a company named Livall makes “smart” bike helmets for skiers and cyclists that includes features like auto-fall detection, GPS location monitoring, and integrated braking lights. The problem: the company apparently didn’t spend enough time securing the company’s app, allowing pretty much anybody to listen in on and track the precise location data of a million customers in real time.
Livall’s smartphone apps feature group audio chats and location data. The problem: Ken Munro, founder of U.K. cybersecurity testing firm Pen Test Partners, found that the chat groups were secured by a six-digit pin code that was very simple to brute force (via Techcrunch):
“That 6 digit group code simply isn’t random enough. We could brute force all group IDs in a matter of minutes.”
Munro also noted that there was nothing to alert a group of cyclists or skiers that someone new had entered the chat, allowing a third party to monitor them in complete silence:
“As soon as one entered a valid group code, one joined the group automatically. There was no further authorisation nor alerts to the other group user. It was therefore trivial to silently join any group, giving us access to any users location and the ability to listen in to any group audio communications.“
Whoops a daisy. As with so many modern “smart” tech companies, Munro also notes that Livall only took their findings seriously once they got a prominent security journalist (Zack Whittaker at Techcrunch) involved to bring attention to the problem. Livall finally fixed the problem, but it’s not entirely clear that would have happened without Whittaker’s involvement.
We see this same cycle play out time and time again. Companies get the great idea of launching new, “smart” versions of old ideas (jacuzzis, ovens, pet food dishes, door locks, glasses), but get so enamored with the gee-whizzery involved in selling internet-connectivity, they forget to do basic due diligence when it comes to product quality, security, or privacy.
And the lesson is always the same: if you value your privacy, security, and peace of mind, dumb tech is often the smarter bet.
Filed Under: bike helmet, privacy, security, ski helmet, smart tech, surveillance, tracking
Companies: livall
Comments on “Whoops: ‘Smart’ Helmet Allowed Real Time Surveillance And Location Tracking Of A Million Customers”
How could this possibly happen? I never thought an always connected camera that I bring everywhere with me and that sends all my data to a company’s servers could possibly spy on me. I even clicked the privacy policy link and at the top it said “We value your privacy”. I’m completely baffled as to how this could possibly happen.
And in other news, I have no idea how my helmet could stop working 6 months after I bought it. Who’d have thought the product would stop working when the shitty company that made it shut down its servers?
Re:
…as no more than the amount of money you paid for the product, and you waive all other possibility of legal claims against the company, …
I don’t care if my oven spies on me. But, there are some people I don’t want to have access to my vibrator/dildo.
Re:
But if a bot knows how often you use it, it can send you suggestions for dating websites if necessary.
Re: Re:
It’s not that. I just don’t want them to turn it on high, while I’m in the middle of the presentation.
I presume its something dumb like the first group is 000001, the next is 000002.
But even then if they have sold a million helmets and have a 6 digit group it’s woefully insufficient. Assuming 4 per group, what happens when they have sold 4 million helmets and have a million groups? does the millionth+1 group suddenly get lumped with group 1?
a billion numbers assigned randomly and some sort of random signature required I assume the helmets must transmit to each other to join a group.
Livall: What comes after 1 2 3 isn’t random enough and is guessable??
Well, the fact that they didn’t sue anyone is almost admirable. Almost.
I can imagine one of these smart helmets being modified to replace the batteries with a windmill generator, a hat with a propeller on top.
Let me guess. Pittance fine incoming.
Internet of Things
Remember, the “S” in IoT is for security.
“Smart” is the intersection of convenience and security, and somebody needs to put in a stop light.