Whoops: ‘Smart’ Helmet Allowed Real Time Surveillance And Location Tracking Of A Million Customers
Makers of new “smart” technologies keen on reinventing the wheel keep inadvertently sending the same message: sometimes dumber technology is smarter.
The latest case in point: a company named Livall makes “smart” bike helmets for skiers and cyclists that includes features like auto-fall detection, GPS location monitoring, and integrated braking lights. The problem: the company apparently didn’t spend enough time securing the company’s app, allowing pretty much anybody to listen in on and track the precise location data of a million customers in real time.
Livall’s smartphone apps feature group audio chats and location data. The problem: Ken Munro, founder of U.K. cybersecurity testing firm Pen Test Partners, found that the chat groups were secured by a six-digit pin code that was very simple to brute force (via Techcrunch):
“That 6 digit group code simply isn’t random enough. We could brute force all group IDs in a matter of minutes.”
Munro also noted that there was nothing to alert a group of cyclists or skiers that someone new had entered the chat, allowing a third party to monitor them in complete silence:
“As soon as one entered a valid group code, one joined the group automatically. There was no further authorisation nor alerts to the other group user. It was therefore trivial to silently join any group, giving us access to any users location and the ability to listen in to any group audio communications.“
Whoops a daisy. As with so many modern “smart” tech companies, Munro also notes that Livall only took their findings seriously once they got a prominent security journalist (Zack Whittaker at Techcrunch) involved to bring attention to the problem. Livall finally fixed the problem, but it’s not entirely clear that would have happened without Whittaker’s involvement.
We see this same cycle play out time and time again. Companies get the great idea of launching new, “smart” versions of old ideas (jacuzzis, ovens, pet food dishes, door locks, glasses), but get so enamored with the gee-whizzery involved in selling internet-connectivity, they forget to do basic due diligence when it comes to product quality, security, or privacy.
And the lesson is always the same: if you value your privacy, security, and peace of mind, dumb tech is often the smarter bet.