On the face of it, Outdoor Tech’s Chips 2.0 speakers seem like the perfect accessory for any on-trend snow sports enthusiast.
The $130 Bluetooth helmet speakers attach to your audio-equipped ski helmet, giving you 10 hours of wireless audio with the ability to talk to your friends. There’s just one problem, said a security researcher this week: Everyone else can listen in too, and do a lot more besides.
Alan Monie, a researcher at cybersecurity consulting company Pen Test Partners, discovered the flaws after poking around in the walkie-talkie app that comes with the Bluetooth headphones.
Rather than connecting directly with other users on the slopes via Bluetooth, the app connects your Chips 2.0 speakers to the internet via your smartphone, meaning that all communications pass through Outdoor Tech’s servers.
The app allows you to form groups of other skiers or snowboarders, all of whom can then talk to each other via the app. Monie tried it out by creating a group and typing in his own name. That’s when the problems started, he says:
I began setting up a group and noticed that I could see all users. I started searching for my own name and found that I could retrieve every user with the same name in their account.
He dug a little deeper, typing ‘A’ into Outdoor Tech’s application programming interface (API), which is the software interface that the app uses to communicate with the back-end server. IT showed 19,000 users.
Names were not the only piece of personally identifiable information that the app revealed. The API returned all the other users’ email addresses too, and he was also able to retrieve their phone numbers. He could extract their real-time GPS position, and listen to real-time walkie-talkie chats. He could also retrieve any user’s password hash along with their reset code in plain text.
Monie suggested that returning lists of users based on the entry of an initial letter is intended functionality, adding:
Obviously, I only pulled data that was mine or my friends with their permission. Anyone with less ethical intentions could do much worse. I also wonder how many users had re-used passwords from elsewhere?
The culprit here is the Insecure Direct Object Reference (IDOR). This exposes an object, such as a file, directory, or database key, without authenticating access. That makes it possible for an attacker to manipulate the object, which could be a simple number attached to the end of a URL query string.
IDOR showed up on the Open Web Application Security Project (OWASP) top 10 vulnerability list as far back as 2007. In the most recent version, 2017, the organization merged it along with ‘missing function level access control’ to create ‘broken access control’. In other words, it is still alive and well, and people keep falling afoul of it, as Outdoor Tech has shown us.
Pen Test Partners contacted the manufacturer to explain what had happened on 6 February 2019, and got a mail back from its marketing manager on 11 February. It sent more emails on 13 and 20 February, but Outdoor Tech refused to acknowledge the vulnerability or propose any fixes, Monie explained.
Pauline
In this day and age, any company that will not acknowledge a vulnerability such as this, is just downright careless, slipshod and negligent. With so many bug hunters out there who are more than happy to share their findings, and so many stories out there like this one, the company in question should just man up, admit to the problem and fix it. There’s no such thing as bug-proof software of any kind, any where; so just fix it!
Greg
Remember in the olden days when we had wired headphones that didn’t go flat or send all of your data to anyone who asked…
Steve
Yeah… but when you got your skis tangled up in those 1000-meter headphone cords, bones could be broken! ;)
dhunter
For companies who outsource their software and do not have the ability to correct flaws quickly or those who outright refuse to be accountable, the only solution is to publish the security flaws far and wide to advise users of the potential risks. If the company’s credibility and income potential is damaged, well, so be it – lesson learned, maybe.
Brian DuBridge
Certainly, this is how competition works. Whoever can do it with secure connections and a similar price point will drive them into the ground.