The maker of a popular ski and bike helmet has patched a security flaw that allowed the real-time location of anyone wearing its helmet to be easily tracked.
Livall makes Internet-connected helmets that allow groups of skiers or cyclists to talk to each other using the helmet’s built-in speaker and microphone and share their real-time location with a group of friends using Livall’s smartphone apps.
Ken Munro, founder of UK cyber security testing firm Pen Test Partners, said Livall’s smartphone apps had a simple flaw that allows easy access to any group’s audio chats and location data. Munro says the two apps, one for skiers and one for cyclists, have a total of about a million users.
At the heart of the bug, Munro found that anyone using Livall’s apps for group audio chat and sharing their location must belong to the same friend group, which could be accessed using only that group’s six-digit numeric code.
“That 6-digit team code just isn’t random enough,” Munro said in a blog post describing the flaw. “We could brute force all group IDs in minutes.”
That way, anyone could have access to any of a million possible group chat code permutations.
“Once someone entered a valid group code, they were automatically entered into the group,” Munro said, adding that this happened without notifying the other group members.
“It was therefore trivial to silently join any group, giving us access to any user location and the ability to listen in on any group audio communication,” Munro said. “The only way to detect a rogue group user was if the legitimate user went to check the members of that group.”
Munro and his colleagues in security research are no strangers to finding obscure but often simple flaws in internet-connected products such as car alarms, dating apps and sex toys. The company discovered in 2021 that Peloton was exposing private rider account data due to an API leak, which TechCrunch proudly played the guinea pig for.
After contacting Livall, who requested more information, Munro sent details of the defect on January 7, but received no response and received no confirmation from the company.
Given the risk to users who don’t expect the flaw to be fixed, Munro notified TechCrunch of the flaw, and TechCrunch reached out to Livall for comment.
When contacted via email, Livall founder Bryan Zheng pledged to fix the app within two weeks of our email, but refused to remove Livall apps in the meantime.
TechCrunch withheld this report until Livall confirmed that it had fixed the flaw in app updates released this week.
In an email, Livall R&D director Richard Yi explained that the company improved the randomness of group codes by also adding letters and notifications for new members joining groups. Yi also said that the app now allows disabling shared location at the user level.
