Sometimes the “smartest” gadgets come with the shoddiest security.
Alan Monie, a security researcher at U.K. cybersecurity firm Pen Test Partners, bought and tested a pair of Chips 2.0 wireless speakers, built by California-based Outdoor Tech, only to find they’re a security nightmare.
The in-helmet speakers allow users to listen to music on the go, make calls and talk to friends through the walkie-talkie — all without having to take off their helmet. The speakers are connected to an app on your phone.
You’re probably thinking: how bad can the security be on a simple-enough ski-helmet speakers?
According to Monie, who wrote up his findings, it’s easy to grab streams of data from the server-side API, used to communicate with the app, such as usernames, email addresses and phone numbers of anyone with an account. Monie said the API returned scrambled passwords, but that password reset codes were sent in plaintext.
Worse, it’s possible to reveal a user’s precise geolocation, and listen in on anyone’s real-time walkie-talkie conversations.
The only thing worse than the security flaws are the company’s lack of response when Monie reached out to get the issues fixed. After a short email exchange over several days, the company stopped responding, he said.
“We really like the product but its security is sorely lacking,” said Monie in his report.
It’s the latest example of many where gadget makers take little to no responsibility for the security of their hardware or software. With so many devices connected to the internet — either directly or through an app — every company has to think like a security company.
Outdoor Tech did not return a request for comment.