The maker of popular smart ski and bike helmets has fixed a security flaw that made it easier to track the real-time location of people wearing their helmets.
Livall makes internet-connected helmets that allow groups of skiers and bike riders to talk to each other using the helmet's built-in speakers and microphones, or to a group of friends using Livall's smartphone app. You can share your real-time location information.
Ken Munro, founder of British cybersecurity testing firm Pen Test Partners, said Rival's smartphone app had a simple flaw that made it easy to access group voice chats and location data. Munro said his two apps, one for skiers and one for bike riders, have about 1 million users combined.
Munro said the core of the bug is that anyone using Rival's app for group voice chats and sharing their location must be in the same friend group, and that group's six-digit numeric code I discovered that it can be accessed using only .
“That six-digit group code simply isn't random enough,” Munro said in a blog post explaining the flaw. “You can brute force all group IDs within minutes.”
That way, anyone can access one of a million combinations of group chat codes.
“As soon as a person entered a valid group code, they automatically joined the group,” Munro said, adding that this happened without warning to other group members.
“So it's now easy to silently join any group, have access to any user's location, and listen in on the group's audio communications,” Munro said. “The only way a user in an unauthorized group can be detected is if a legitimate user goes to see who is a member of that group.”
Munro and his security research colleagues are used to finding obscure but simple flaws in internet-connected products like car alarms, dating apps and sex toys. In 2021, TechCrunch proudly played the role of guinea pig when Peloton discovered that Peloton was exposing riders' private account data due to API leaks.
After contacting Rival for further information, Munro sent details of the defect on January 7, but received no response or confirmation from the company.
Given the risk to users who don't expect the flaw to be fixed, Munro alerted TechCrunch to the flaw, and TechCrunch reached out to Livall for comment.
When contacted via email, Livall founder Bryan Zheng promised to fix the app within two weeks of the email, but refused to remove the Livall app in the meantime.
TechCrunch withheld this report until Lival confirmed that he had fixed the flaw in an app update released this week.
Richard Yi, Livall's director of research and development, explained in an email that they improved the randomness of the group code by adding characters and including alerts for new members joining the group. Yee also said the app now allows users to turn off location sharing at the user level.