Another day, another addition to the trashfire that is Internet of Things’ security.
New research out Wednesday lifts the lid on vulnerabilities in two popular personal protection devices, which if exploited can open up its users to tracking or prevent them from working — rendering them effectively useless.
These personal protection devices, or panic buttons, are commonly used to discreetly alert friends or a designated other that a user may be in trouble. These devices come equipped with Bluetooth, so with a push of a button, a user can send their geolocation and a warning message through an accompanying app on their smartphone.
But it’s that Bluetooth connection that can opens up these devices to manipulation, said Mark Loveless, a researcher at Duo Security, in new research released Wednesday.
Wearsafe‘s personal protection device was vulnerable to a denial of service attack if flooded with connection requests, effectively locking the user out of the device until the battery is removed and reinserted. Loveless also found that the device nearly continually broadcasts its Bluetooth radio, making it easier for targeted tracking.
Revolar‘s device was also found to be vulnerable to tracking, thanks to the device broadcasting the company’s name, albeit for a limited time of about an hour.
Although Wearsafe fixed the vulnerabilities, the device maker would not confirm the fix to the security firm,. In an email sent later to ZDNet, the company said it “appreciated” Duo’s report, but would not say if a fix was on the way.
Revolar did not respond to Duo’s private disclosure, submitted through a contact form on the company’s website. The company shut down last year amid lawsuits and financial troubles but was saved by a sale and reopened. Its devices are still on sale in major retailers and outlets.
After publication, Revolar founder Jacqueline Ros said that the company is “working towards” a fix
While it is hard to determine what the future may hold for any IoT device, it is a harsh reminder that it is a tough market filled with lots of promise and shiny newness that often fails, sometimes unexpectedly,” said Loveless.
Updated at 1:55pm: with a response from Revolar and again at 7:45pm: with comment from Wearsafe.