“Smart” helmet flaw exposes location tracking and privacy risks

A smart helmet for biking and skiing fans sounds like a good idea.

If you're on the slopes or trails, you want to protect your head and stay in touch with your group.

Which is why Livall, a popular manufacturer of ski and bike helmets, has presumably developed a "smart" line of products with "walkie-talkie" functionality for groups to stay in touch and track each other's location.

Unfortunately, according to security researchers, Livall's implementation of the "smart" technology was nothing less than foolish.

As TechCrunch reports, a security flaw allowed unauthorised parties to track the location of anyone wearing its helmets and listen to group conversations.

After security researchers at Pen Test Partners approached reporters at TechCrunch because they had no response from Livall itself, the flaw has now been addressed.

As Pen Test Partners explains in a blog post, Livall’s smartphone apps ask helmet owners to create a group to link up with friends.

This is done with Livall's app (they have a separate one for skiers and bikers, but they work the same way) which requests a code be entered to join a group. That code consisted of six digits.

As Ken Munro of Pen Test Partners explains, "That six-digit group code simply isn’t random enough. We could brute force all group IDs in a matter of minutes."

This meant that to join a group, all you had to do was enter a valid group code, making it easy to spy on their real-time location or snoop on conversations from anywhere in the world without needing permission from a member.

Pen Test Partners found the flaw because some of their researchers are keen skiers, but later they discovered the same problem in Livall's "smart" bike helmets too.

Livall's bike helmets made the problem more significant. There are only a few thousand users of Livall's smart ski helmets, compared to around a million of its biking equivalent.

The security researchers' attempts to get a response from Livall about the flaw seemed to have fallen on deaf ears until TechCrunch security editor Zack Whittaker raised the issue with the firm. On February 5th, Livall announced a new app version that uses six character alphanumeric codes instead of six digit numeric codes, significantly increasing the difficulty of exploiting the problem.

One would hope that an updated app requires existing group members to approve new additions, instead of allowing others to join accidentally or without permission.

If you own a Livall smart helmet for your ski trips or biking excursions, make sure to update your app from the official Google Play or iOS App Store.