It appears that no device is safe from hackers nowadays.
Two Bluetooth panic buttons were found to have weak security measures in place that make them vulnerable to exploitation by hackers.
This seems particularly ironic, given that the devices were created for the express purpose of personal safety.
Specifically, Bluetooth panic buttons created by wearable companies Wearsafe and Revolar have some flaws, according to Mark Loveless, a cybersecurity expert at software provider Duo Security.
Cybersecurity expert Mark Loveless discovered a security flaw in two Bluetooth ‘panic buttons’ made by Wearsafe and Revolar that left them open to being tracked remotely
Both the Wearsafe and Revolar devices were susceptible to a security flaw that allowed them to be tracked using cheap antennas.
It seems that the very technology that would help users in unsafe situations is also the very factor that might put them at risk of dangerous security flaws.
With a push of the panic button, users can quietly notify their friends or family of their location.
The device links to their smartphone via a Bluetooth connection, which enables the system to broadcast the user’s location and a warning message to their contacts.
Anyone who knows how a Bluetooth connection works would know that it’s also able to be tracked remotely.
The Wearsafe device can be tracked using a free scanner app or inexpensive antenna if you’re nearby, Loveless said.
‘With a free scanner app on a phone, the Wearsafe device was easily detected as long as you were within close range, and using a laptop along with a larger antenna, one could easily detect the device from longer distances,’ Loveless explained.
Someone could track the Wearsafe device up to a quarter mile away if they’re willing to shell out $50 on a more powerful antenna, he added.
‘It is easy to track the device from a slight distance, which kind of defeats the idea of having a stealth device,’ Loveless said.
It’s a bit more difficult to track the Revolar device, but it can still be done.
Revolar broadcasts the user’s location to a phone for about 30 minutes each hour, which could be just enough time for a tracker to pick up your location.
What’s even scarier, the attacker can use this narrow window of time to their advantage.
‘The main concern is that the attacker can adjust tactics (disguise, approach from behind, quickly restrain hands, etc.) to address the situation of the victim actually using the device,’ Loveless said.
The Wearsafe device was also found to be vulnerable to denial-of-service attacks.
In this case, Loveless flooded Wearsafe’s panic button device with a ton of Bluetooth connection requests.
Inundated with requests, the device was unable to reconnect to the user’s phone, which rendered the device useless.
The only way to make the device usable again is to complete a ‘hard reset,’ or to remove and reinsert the battery.
Loveless identified another security vulnerability left the Wearsafe Bluetooth panic button susceptible to denial-of-service attacks that would render the device virtually useless
Revolar’s panic button wasn’t susceptible to denial-of-service attacks.
Loveless said he contacted both Revolar and Wearsafe to notifty them of the security flaws.
He said Wearsafe addressed the security vulnerabilities, while Revolar never responded.
Interestingly, chip giant Qualcomm and Chinese smartphone maker ZTE announced a partnership with Wearsafe at CES 2018 to create a new set of personal safety wearables.
It’s unclear what kind of devices the companies plan to release (a CNet report suggested some kind of modern LifeAlert device).
But it seems that they’ll want to take Loveless’ security flaws into account this time around.