An anonymous reader cites a TechCrunch report. The maker of popular smart ski and bike helmets has fixed a security flaw that made it easier to track the real-time location of people wearing their helmets. Livall makes internet-connected helmets that allow groups of skiers and bike riders to talk to each other using the helmet's built-in speakers and microphones, and to a group of friends using Livall's smartphone app. You can share your real-time location information. Ken Munro, founder of British cybersecurity testing firm Pen Test Partners, said Rival's smartphone app had a simple flaw that made it easy to access group voice chats and location data. Munro said his two apps, one for skiers and one for bike riders, have about 1 million users combined.
Munro said the core of the bug is that anyone using Rival's app for group voice chats and sharing their location must be in the same friend group, and that group's six-digit numeric code I discovered that it can be accessed using only . “His six-digit group his code is simply not random enough,” Munro said in a blog post explaining this flaw. “You can brute force all group IDs within minutes.” That way, anyone can access one of her million combinations of group chat codes.
“As soon as a person entered a valid group code, the person automatically joined the group,” Munro said, adding that this happened without warning to other group members. “So it's now easy to join a group silently, have access to any user's location, and listen to the group's voice communications,” Munro said. “The only way a user in an unauthorized group can be detected is if a legitimate user goes to see who is a member of that group.” […] Richard Yi, Livall's director of research and development, explained in an email that they improved the randomness of the group code by adding characters and including alerts for new members joining the group. Yee also said the app now allows users to turn off location sharing at the user level.