Dismal web app security leaves ski helmet audio kit easily hackable

Outdoor Tech goes off-piste on recommended security practices

A popular range of wireless audio speakers for ski helmets have been found to leak personal data, users’ GPS position, walkie-talkie chats, and more.

The flaws in Outdoor Tech’s CHIPS smart headphones were uncovered by Alan Monie of Pen Test Partners (PTP) after the winter sports enthusiast purchased one of their units.

After he noticed that he was able to pull up the user info of everyone called ‘Alan’ in the process of setting up a group for walkie talkie chats, Monie was encouraged to dig deeper.

He quickly discovered that because of an insecure direct object references (IDOR) vulnerabilities, a hacker could access all manner of sensitive content, without any authorization checks being made.

This sensitive information included:

• Usernames and associated email addresses
• Password hash, and (worse yet) password reset code in plaintext
  
• Phone number
• Users’ real-time GPS position
• Walkie-talkie chats

Monie verified the problem by first getting permission from his friends before accessing their data, prior to notifying the US-based sports kit maker in early February.

After failing to get a meaningful response from the vendor for over a month, PTP went public with its findings on Monday (March 4).

PTP only published after warning Outdoor Tech late last month of its plans to go public since the “vulnerability hadn’t been acknowledged and no remediation actions had been proposed”.

Software development for the app had apparently been outsourced to Argentinian software developers, Simplex Software.

“We speculate that the development house wasn’t following OWASP secure development practices and Outdoor Tech wasn’t sufficiently versed in security to query this,” PTP’s Monie concluded.

“A shame, as we really like the product but its security is sorely lacking. Even intended functionality leaks personally identifiable information. That’s crazy.”

Monie told The Daily Swig that the web security mistakes made in developing Outdoor Tech’s kit were egregious.

“OutdoorTech is pretty much the worst API I’ve seen. It’s sending a list of most/all users email addresses to all the users doing a simple search. It’s a built-in data breach.”

PTP’s Andrew Tierney added: “This was a common thing with mobile apps four or five years back – user search just downloaded the whole DB. You think we would have learnt by now.”

The Daily Swig contacted Outdoor Tech for comment on apparent security shortcoming with its IoT-enable sports accessory tech on Tuesday. We’ll update this story as and when we hear more.