On the face of it, Outdoor Tech’s Chips 2.0 speakers seem like the perfect accessory for any on-trend snow sports enthusiast.
The $130 Bluetooth helmet speakers attach to your audio-equipped ski helmet, giving you 10 hours of wireless audio with the ability to talk to your friends. There’s just one problem, said a security researcher this week: Everyone else can listen in too, and do a lot more besides.
Alan Monie, a researcher at cybersecurity consulting company Pen Test Partners, discovered the flaws after poking around in the walkie-talkie app that comes with the Bluetooth headphones.
Rather than connecting directly with other users on the slopes via Bluetooth, the app connects your Chips 2.0 speakers to the internet via your smartphone, meaning that all communications pass through Outdoor Tech’s servers.
The app allows you to form groups of other skiers or snowboarders, all of whom can then talk to each other via the app. Monie tried it out by creating a group and typing in his own name. That’s when the problems started, he says:
I began setting up a group and noticed that I could see all users. I started searching for my own name and found that I could retrieve every user with the same name in their account.
He dug a little deeper, typing ‘A’ into Outdoor Tech’s application programming interface (API), which is the software interface that the app uses to communicate with the back-end server. IT showed 19,000 users.
Names were not the only piece of personally identifiable information that the app revealed. The API returned all the other users’ email addresses too, and he was also able to retrieve their phone numbers. He could extract their real-time GPS position, and listen to real-time walkie-talkie chats. He could also retrieve any user’s password hash along with their reset code in plain text.
Monie suggested that returning lists of users based on the entry of an initial letter is intended functionality, adding:
Obviously, I only pulled data that was mine or my friends with their permission. Anyone with less ethical intentions could do much worse. I also wonder how many users had re-used passwords from elsewhere?
The culprit here is the Insecure Direct Object Reference (IDOR). This exposes an object, such as a file, directory, or database key, without authenticating access. That makes it possible for an attacker to manipulate the object, which could be a simple number attached to the end of a URL query string.
IDOR showed up on the Open Web Application Security Project (OWASP) top 10 vulnerability list as far back as 2007. In the most recent version, 2017, the organization merged it along with ‘missing function level access control’ to create ‘broken access control’. In other words, it is still alive and well, and people keep falling afoul of it, as Outdoor Tech has shown us.
Pen Test Partners contacted the manufacturer to explain what had happened on 6 February 2019, and got a mail back from its marketing manager on 11 February. It sent more emails on 13 and 20 February, but Outdoor Tech refused to acknowledge the vulnerability or propose any fixes, Monie explained.