Security

What do you press when flaws in Bluetooth panic buttons are exposed?

Researcher able to DoS and track personal protection kit

By John Leyden

18 SHARE

Security researchers have uncovered flaws in Bluetooth-based panic buttons that, in a worst-case scenario, make the affected kit "effectively useless."

Duo Labs put a range of Bluetooth-based personal protection devices – aka panic buttons – from ROAR, Wearsafem, and Revolar through their paces. These gadgets typically connect to your smartphone so that close friends and family can keep an eye on where you are. When triggered, the gizmos sent out texts for help via the phone.

Researcher Mark Loveless found vulnerabilities in two of the widgets which, if exploited, can open its users to stalking or worse.

Wearsafe's button was vulnerable to denial-of-service attacks. If flooded with connection requests, a hacker could lock the user out of the device until the battery is removed and reinserted. The device also continually broadcasts its Bluetooth radio, meaning it can be tracked.

Revolar's device was also found to be vulnerable to Bluetooth tracking.

"While it wasn't nearly as easy to remotely track a Revolar owner, it is still possible to track the owner of either the Revolar or Wearsafe device from a distance via Bluetooth with inexpensive antennas that extend the scanning range," said Loveless.

"Both devices allow for Bluetooth scanning to identify the device as a personal protection device. Both devices allow for somewhat insecure Bluetooth pairing."

IoT panic button security report card [Source: Duo Labs]

El Reg asked both Wearsafe and Revolar to comment. ®

Sign up to our NewsletterGet IT in your inbox daily

18 Comments

More from The Register

Dozens of .gov HTTPS certs expire, webpages offline, FBI on ice, IT security slows... Yup, it's day 20 of Trump's govt shutdown

Hackers may be rubbing their hands with glee

FBI agents take aim at VPNFilter botnet, point finger at Russia, yell 'national security threat'

Feds warn admins malware is rather tough to destroy

Big bad Bluetooth blunder bug battered – check for security fixes

Crypto cockup lets middle-people spy on connections after snooping on device pairing

Ignore that FBI. We're the real FBI, says the FBI that's totally the FBI

Don't open that malware mail from the Feds that's not from the Feds, Feds warn

Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threat

AppSec EU DARPA-funded white hat emits timeless advice

FBI's flawed phone tally blamed on programming error. 7,800 unbreakable mobes? Er, um...

We meant 1,000. Maybe 2,000

FBI to World+Dog: Please, try turning it off and turning it back on

Feds trying to catalogue VPNFilter infections

Texas Instruments flicks Armis' Bluetooth chip vuln off its shoulder

Yeah, we've patched that one, adds Cisco

FBI tells Jo(e) Sixpack to become an expert in IoT security

It's also accidentally written the syllabus for a 'Home IoT Network Engineer' course

No, it's not Intel's 5G chip Apple is ditching – it's the Sunny Peak Bluetooth, Wi-Fi part

Project axed after iGiant snubs Chipzilla's wireless silicon