A security flaw in a popular smart ski and bike helmet has been fixed after it was discovered that the flaw allowed for silent location tracking of the helmet wearers. The maker of the helmet, Livall, has addressed the issue, which could have potentially put the privacy and safety of its users at risk.
Key Takeaway
A security flaw in Livall’s smart helmet allowed unauthorized access to users’ location and audio communications. The company has since addressed the issue by releasing app updates that improve the randomness of group codes and provide users with more control over their shared location.
Flaw in Livall Smart Helmet
Livall is known for its internet-connected helmets that enable skiers and bike riders to communicate with each other using the built-in speaker and microphone. Additionally, users can share their real-time location with friends through Livall’s smartphone apps. However, Ken Munro, the founder of U.K. cybersecurity testing firm Pen Test Partners, identified a significant security vulnerability in Livall’s smartphone apps.
Easy Access to Location Data
Munro discovered that Livall’s smartphone apps had a simple flaw that allowed easy access to any group’s audio chats and location data. The flaw stemmed from the fact that the group codes used for accessing audio chats and sharing location were not sufficiently random. This made it possible for malicious actors to brute force the group IDs and gain access to any user’s location and audio communications within the group.
Response from Livall
Upon being informed about the security flaw, Livall committed to fixing the app within two weeks. The company has since released app updates that address the vulnerability. Livall’s R&D director, Richard Yi, explained that the company has improved the randomness of group codes by adding letters and has also included alerts for new members joining groups. Additionally, the app now allows users to turn off the shared location at the user level.
