05 March 2019

Outdoor Tech’s Chips ski helmet speakers are a hot mess of security flaws


Sometimes the “smartest” gadgets come with the shoddiest security.

Alan Monie, a security researcher at U.K. cybersecurity firm Pen Test Partners, bought and tested a pair of Chips 2.0 wireless speakers, built by California-based Outdoor Tech, only to find they’re a security nightmare.

The in-helmet speakers allow users to listen to music on the go, make calls, and talk to your friends through the walkie-talkie — all without having to take your helmet off. The speakers are connected to an app on your phone.

You’re probably thinking: how bad can the security be on a simple-enough ski helmet speakers be?

According to Monie, who wrote up his findings, it’s easy to grab streams of data from the server-side API, used to communicate with the app, such as usernames, email addresses, and phone numbers of anyone with an account. Monie said the API returned scrambled passwords, but that password reset codes were sent in plaintext.

Worse, it’s possible to reveal a user’s precise geolocation, and listen in on anyone’s real-time walkie-talkie conversations.

The only thing worse than the security flaws are the company’s lack of response when Monie reached out to get the issues fixed. After a short email exchange over several days, the company stopped responding, he said.

“We really like the product but its security is sorely lacking,” said Monie in his report.

It’s the latest example of many where gadget makers don’t take little to no responsibility for the security of their hardware or software. Given these days so many devices connect to the internet – either directly or through an app — every company had to think like a security company.

Outdoor Tech did not return a request for comment.


Read Full Article

No comments:

Post a Comment