A set of smart speakers intended for ski helmets are a terrible data-leaking pit of badness, according to a Pen Test Partners researcher who innocently bought himself one of the devices.
"I love snow sports, and I also like my tunes, so purchasing the Outdoor Tech CHIPS smart headphones was a no-brainer," wrote PTP chap Alan Monie this week. "They fit into audio-equipped helmets and have huge 40mm drivers. Warm ears and good bass."
The Bluetooth snow helmet speakers were, however, not a good choice for people who value their privacy and security.
"[Think back] to when you used to have to carry your MP3 + your ear buds + your smartphone + your walkie-talkie + heated mittens when you would go ride your local hill," gushed manufacturer Outdoor Tech's marketing blurb. The speakers themselves fit inside a ski helmet and also serve as a short-range walkie-talkie – something which Alan discovered was not the innocent feature that it seemed to be on the surface.
"I began setting up a group and noticed that I could see all users. I started searching for my own name and found that I could retrieve every user with the same name in their account," he said.
Through using insecure direct object references, Alan was able to:
- Pull all the users and their email addresses from the API
- Retrieve their password hash, and password reset code in plain text
- View their phone number
- Extract users' real-time GPS position
- Listen to real-time walkie-talkie chats
Even worse, when Alan queried the API with the letter A, intending to find his own name and add it to a user group he wanted to set up, the API returned 19,000 results – every single registered user whose first name started with A. For good measure it also threw in their email addresses.
With some basic poking around in the API using nothing more than his own user-level credentials, Alan wrote that he was able to get hold of other users' password hashes, their "password reset code and user's phone number in plain text" as well as listing their real-time GPS locations. He was even able, he said, to get hold of the live stream for other users' walkie-talkie chats.
When PTP contacted Outdoor Tech, the firm's marketing manager replied once before replies dried up. After a three-week delay, PTP decided to go public with the vulns because it said "the vulnerability hadn't been acknowledged and no remediation actions had been proposed".
The cautionary tale sheds light on interesting and potentially useful smart gadgets. Far from being an Alibaba special, Outdoor Tech does not appear to be some kind of fly-by-night internet vendor mainly motivated to make a fast buck. Its products clearly have a loyal and engaged userbase, as shown by the ongoing development of the CHIPS speakers from their first iteration as a set of in-helmet speakers to today's Bluetooth-enabled tech. Yet that popularity should also come with some corporate responsibility. Security through obscurity is no security at all – and with a live vuln still in the product, the onus is on Outdoor Tech to fix it and fast.
Outdoor Tech had not responded to The Register's emailed enquiries by the time of publication. ®