A recent security flaw in Livall’s “smart” helmets raised concerns over users’ privacy and location tracking risks. The helmets, popular among biking and skiing enthusiasts, were designed with “walkie-talkie” functionality to keep groups connected and track each other’s locations. However, security researchers from Pen Test Partners discovered a significant flaw in the implementation, allowing unauthorized parties to track helmet wearers’ locations and listen to group conversations. Livall’s smartphone apps, used for both skiing and biking helmets, utilized a six-digit group code that proved to be easily guessable through brute-force attacks.
The flaw was brought to light when researchers approached TechCrunch after receiving no response from Livall. Pen Test Partners explained that entering a valid six-digit group code was all it took for unauthorized access, making it possible to spy on real-time locations and eavesdrop on conversations without permission. Livall responded by releasing a new app version on February 5th, replacing the numeric codes with six-character alphanumeric codes, significantly improving the security of the helmets. However, questions remain about whether the updated app requires existing group members’ approval for new additions to prevent accidental or unauthorized access.
