a Livall smart helmet in white with an orange stripe down the center with orange straps

Security flaw in a popular smart helmet allowed silent location tracking

by with No Comment Tech

a Livall smart helmet in white with an orange stripe down the center with orange straps

Image Credits: Mandel Ngan / AFP / Getty Images

The maker of a popular smart ski and bike helmet has fixed a security flaw that allowed the easy real-time location tracking of anyone wearing its helmets.

Livall makes internet-connected helmets that allow groups of skiers or bike riders to talk with each other using the helmet’s in-built speaker and microphone, and share their real-time location in a friend’s group using Livall’s smartphone apps.

Ken Munro, founder of U.K. cybersecurity testing firm Pen Test Partners, said Livall’s smartphone apps had a simple flaw allowing easy access to any group’s audio chats and location data. Munro says the two apps, one for skiers and one for bike riders, collectively have about a million users.

At the heart of the bug, Munro found that anyone using Livall’s apps for group audio chat and sharing their location must be part of the same friends group, which could be accessed using only that group’s six-digit numeric code.

“That 6-digit group code simply isn’t random enough,” Munro said in a blog post describing the flaw. “We could brute force all group IDs in a matter of minutes.”

In doing so, anyone could access any of the 1 million possible permutations of group chat codes.

“As soon as one entered a valid group code, one joined the group automatically,” said Munro, adding that this happened without alerting other group members.

“It was therefore trivial to silently join any group, giving us access to any users’ location and the ability to listen in to any group audio communications,” said Munro. “The only way a rogue group user could be detected was if the legitimate user went to check on the members of that group.”

Munro and his security research colleagues are no strangers to finding obscure but often simple flaws in internet-connected products, like car alarms, dating apps and sex toys. The firm found in 2021 that Peloton was exposing riders’ private account data because of a leaky API, in which TechCrunch proudly played guinea pig.

After reaching out to Livall, which asked for more information, Munro sent details of the flaw on January 7 but did not hear back, and received no acknowledgement from the company.

Given the risk to users with no expectation that the flaw would be fixed, Munro alerted TechCrunch to the flaw and TechCrunch contacted Livall for comment.

When reached by email, Livall founder Bryan Zheng committed to fixing the app within two weeks of our email but declined to take down the Livall apps in the interim.

TechCrunch held this report until Livall confirmed it had fixed the flaw in app updates that were released this week.

In an email, Livall’s R&D director Richard Yi explained that the company improved the randomness of group codes by also adding letters, and including alerts for new members joining groups. Yi also said the app now allows the shared location to be turned off at the user level.

Security flaw left ‘smart’ chastity sex toy users at risk of permanent lock-in

Google says 10 companies in India, including 'many well-established' names it did not disclose, have violated Google Play Store policies

Google pulls popular Indian apps from store over fee dispute

by with No Comment Tech

Google says 10 companies in India, including 'many well-established' names it did not disclose, have violated Google Play Store policies

Image Credits: MANJUNATH KIRAN / AFP / Getty Images

Google pulled more than a dozen popular apps from Play Store in India on Friday after warning that it will be taking actions against developers who have persistently not complied with its billing policies, escalating a three-year dispute in what is the company’s largest market by users. Google said that 10 companies in the country, including “many well-established” names it did not disclose, had avoided paying fees despite benefiting from the platform.

The Android-maker, owned by Alphabet, said a small group of developers in India had more than three years to prepare and comply with Play Store’s payments policy but opted against it. These firms continue to comply with payment policies of other app stores, Google said.

Some Android apps of matrimony platforms Shaadi, Matrimony.com and Bharat Matrimony were pulled from the Play Store Friday. Info Edge’s Naukri and 99acres, audio storytelling apps Kuku FM and Stage, Alt Balaji’s Altt, dating service QuackQuack were also axed from the store. 

Android handsets command about 95% of the smartphone market in India. Getting whacked from the Google Play Store could pose existential crisis to many of the aforementioned names.

Murugavel Janakiraman, chief executive of Bharat Matrimony, said Google had pulled about 10 of the Indian firm’s apps from the store. Bharat Matrimony is evaluating legal options, he told TechCrunch, adding that he believes Google has violated an Indian antitrust watchdog’s order in its removal of the apps today. It’s a “dark day for the India internet,” he added.

Lal Chand Bisu, co-founder and chief executive of Kuku FM, said the Android maker had turned into “the most evil” partner to do business with and the Indian startup ecosystem was “completely” in its control.

“We are now faced with no option but to accept their terms. This will destroy our business and make Kuku FM unfordable for the majority of the country, but when have a monopoly cared about anything beyond itself,” he said in a post on X.

IAMAI, an influential industry association that represents some of the largest Indian startups as well as international firms, said in a statement that it has advised Google — a member of IAMAI — to not delist any apps from Google Play. The industry body said it is able to confirm that Google had sent notices to at least four of the group’s members.

“After giving these developers more than three years to prepare, including three weeks after the Supreme Court’s order, we are taking necessary steps to ensure our policies are applied consistently across the ecosystem, as we do for any form of policy violation globally,” Google wrote in a blog post. “Enforcement of our policy, when necessary, can include removal of non-compliant apps from Google Play.”

More than a dozen firms in India have challenged Google’s Play Store billing policy in recent years, arguing that Google is levying too high of a fee for the services it provides. Companies that filed petitions to the Madras High Court included Bharat Matrimony, Shadi.com, Unacademy, Kuku FM, Alt Digital Media and Info Edge, an Indian internet tech giant that operates the popular job recruitment platform Naukri. Disney’s Hotstar and Tinder have also challenged Google’s policy in India.

Sanjeev Bikhchandani, founder of Info Edge, told TechCrunch earlier Friday that Google had sent his firm a notice and said companies that are not compliant with the rules will be delisted. Info Edge had been compliant with Google’s rules, he insisted.

“We have been compliant since Feb 9, the date the Supreme Court order came out. There are no pending invoices of Google with us,” he said in a statement before his apps were pulled.

India is a key overseas market for Google, where it has invested billions over the past decade and now serves over half a billion people. The company said Friday that the Android and Play Store ecosystem collectively supported over 2.5 million jobs in India in 2022 and only 3% of developers in India need to pay a service fee in the country. Fewer than five dozen developers in India are subject to fees above 15%, the company said.

Google’s remark on Friday follows the Madras High Court rejecting petitions from several Indian tech companies against Google’s new user choice billing system in January.

“We’ve always respected local laws. For years, no court or regulator has denied Google Play’s right to charge for the value and services we provide,” Google wrote in the blog post. “On 9 February, the Supreme Court also refused to interfere with our right to do so. While some of the developers that were refused interim protection have started fairly participating in our business model and ecosystem, others choose to find ways to not do so.”

Google wrote in the blog post that the small group of developers that is not paying the fee while using the Play Store is creating “an uneven playing field across the ecosystem” and putting other apps and games at a “competitive disadvantage.”

The small group of developers can resubmit their apps by complying with the rules or maintain continuity on the Android ecosystem by partnering with alternative app stores, Google wrote.

To submit their apps on the Play Store, developers need to elect one of Google Play’s three options — consumption-only basis without paying a service fee (in which developers like Netflix only offer consumption to account holders) , integrating Google Play’s billing system (in which the developer agrees to pay Google the long-standing fee), or offer an alternative billing system (in which the developer’s fee is reduced.)

The story was updated throughout the day Friday. Ivan Mehta also contributed to this report.