There is no question about it that Internet of Things (IoT) devices have a bad reputation when it comes to matters of security. This reputation is not entirely unwarranted, given the numerous instances of IoT devices being compromised and exploited by malicious actors. One of the primary reasons for this vulnerability is the sheer volume of IoT devices flooding the market, many of which are rushed to production without adequate security measures being implemented. These devices often lack basic security features such as encryption, authentication mechanisms, and regular software updates, leaving them highly vulnerable to hacking attempts.
Privacy concerns associated with compromised IoT devices add another layer of complexity to the security landscape. When an IoT device is compromised, not only does it pose a risk to the security of the network it is connected to, but it also jeopardizes the privacy of individuals whose data it may be collecting. For example, a compromised smart home camera could expose private moments within a household to unauthorized parties, or a hacked wearable device could leak sensitive health data to malicious actors. The pervasive nature of IoT devices means that they often collect vast amounts of personal information, ranging from location data to behavioral patterns, making them attractive targets for data breaches.
The team at Pen Test Partners in the United Kingdom was recently playing around with some smart ski and bike helmets manufactured by LIVALL. These helmets connect to a phone app via Bluetooth to provide location information and push-to-talk capabilities to members of a group. By all accounts, these functions work quite well, allowing members of a group to stay in contact and quickly meet back up if they get separated. Anyone that has gotten separated from their friends on the slopes will understand just how useful these functions could be.
Unfortunately, the Pen Test Partners found these helmets to be embarrassingly insecure. If a product is found to have a vulnerability, one would at least hope that it would require a very complex and obscure hack that only works on the third full moon of the year when all of the planets are in the right alignment. But in this case, a few minutes of brute force is enough to listen in on private conversations and track the locations of everyone in a group.
After the helmets are paired with a phone, a group can be created or joined by simply entering a six-digit code. That’s it. There is no additional authentication needed to join an existing group. Permission from an existing member is not needed, and no notification is given to group members when someone new joins. Accordingly, an attacker need only cycle through all possible six digit codes to join any group. This tactic could also be used to create all possible groups in a few minutes, leaving real users with no open groups to join.
The team contacted the manufacturer to report the problem, but were not able to get much of a response. After contacting a journalist — and introducing the risk of a bad public relations event — a response was received and within a few weeks a fix was applied to the app. The six-digit code was changed to include alphanumeric values, which makes brute force attacks impractical. It is such a small fix, but it has such a big impact. One cannot help but wonder why the software was not designed this way in the first place. Ah, IoT! We may never understand you, but we still cannot get enough of you!