Outdoor Tech’s Chips ski helmet speakers are a hot mess of security flaws

link to original article

Sometimes the “smartest” gadgets come with the shoddiest security.

Alan Monie, a security researcher at U.K. cybersecurity firm Pen Test Partners, bought and tested a pair of Chips 2.0 wireless speakers, built by California-based Outdoor Tech, only to find they’re a security nightmare.

The in-helmet speakers allow users to listen to music on the go, make calls and talk to friends through the walkie-talkie — all without having to take off their helmet. The speakers are connected to an app on your phone.

You’re probably thinking: how bad can the security be on a simple-enough ski-helmet speakers?

According to Monie, who wrote up his findings, it’s easy to grab streams of data from the server-side API, used to communicate with the app, such as usernames, email addresses and phone numbers of anyone with an account. Monie said the API returned scrambled passwords, but that password reset codes were sent in plaintext.

Worse, it’s possible to reveal a user’s precise geolocation, and listen in on anyone’s real-time walkie-talkie conversations.

The only thing worse than the security flaws are the company’s lack of response when Monie reached out to get the issues fixed. After a short email exchange over several days, the company stopped responding, he said.

“We really like the product but its security is sorely lacking,” said Monie in his report.

Outdoor Tech spokesperson Taylor Toussaint said the company “is not aware of any such existing system vulnerabilities,” but declined further communications when asked if the company received any contact from the security researchers. Emails seen by TechCrunch show efforts by the researchers to warn Outdoor Tech of the vulnerabilities. Toussaint later said he was advised by the company’s legal counsel to “cease all further communication.”

According to the researchers, Outdoor Tech fixed the vulnerabilities on Tuesday.

It’s the latest example of many where gadget makers take little to no responsibility for the security of their hardware or software. With so many devices connected to the internet — either directly or through an app — every company has to think like a security company.

Updated with comment from Outdoor Tech spokesperson, and that when the vulnerabilities are now fixed.