Flaws found in popular personal panic buttons could render them useless

And yet there's been nothing but silence from the companies.

(Image: file photo)

Another day, another addition to the trashfire that is Internet of Things' security.

New research out Wednesday lifts the lid on vulnerabilities in two popular personal protection devices, which if exploited can open up its users to tracking or prevent them from working -- rendering them effectively useless.

special feature

Cybersecurity in an IoT and Mobile World

The technology world has spent so much of the past two decades focused on innovation that security has often been an afterthought. Learn how and why it is finally changing.

Read More

These personal protection devices, or panic buttons, are commonly used to discreetly alert friends or a designated other that a user may be in trouble. These devices come equipped with Bluetooth, so with a push of a button, a user can send their geolocation and a warning message through an accompanying app on their smartphone.

But it's that Bluetooth connection that can opens up these devices to manipulation, said Mark Loveless, a researcher at Duo Security, in new research released Wednesday.

Wearsafe's personal protection device was vulnerable to a denial of service attack if flooded with connection requests, effectively locking the user out of the device until the battery is removed and reinserted. Loveless also found that the device nearly continually broadcasts its Bluetooth radio, making it easier for targeted tracking.

Revolar's device was also found to be vulnerable to tracking, thanks to the device broadcasting the company's name, albeit for a limited time of about an hour.

But the two companies named in Duo's report have so far remained mum on the flaws that were disclosed late last year.

Although Wearsafe fixed the vulnerabilities, the device maker would not confirm the fix to the security firm,. In an email sent later to ZDNet, the company said it "appreciated" Duo's report, but would not say if a fix was on the way.

Revolar did not respond to Duo's private disclosure, submitted through a contact form on the company's website. The company shut down last year amid lawsuits and financial troubles but was saved by a sale and reopened. Its devices are still on sale in major retailers and outlets.

After publication, Revolar founder Jacqueline Ros said that the company is "working towards" a fix

While it is hard to determine what the future may hold for any IoT device, it is a harsh reminder that it is a tough market filled with lots of promise and shiny newness that often fails, sometimes unexpectedly," said Loveless.

Updated at 1:55pm: with a response from Revolar and again at 7:45pm: with comment from Wearsafe.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All