Security

What do you press when flaws in Bluetooth panic buttons are exposed?

Researcher able to DoS and track personal protection kit

By John Leyden

18 SHARE

Security researchers have uncovered flaws in Bluetooth-based panic buttons that, in a worst-case scenario, make the affected kit "effectively useless."

Duo Labs put a range of Bluetooth-based personal protection devices – aka panic buttons – from ROAR, Wearsafem, and Revolar through their paces. These gadgets typically connect to your smartphone so that close friends and family can keep an eye on where you are. When triggered, the gizmos sent out texts for help via the phone.

Researcher Mark Loveless found vulnerabilities in two of the widgets which, if exploited, can open its users to stalking or worse.

Wearsafe's button was vulnerable to denial-of-service attacks. If flooded with connection requests, a hacker could lock the user out of the device until the battery is removed and reinserted. The device also continually broadcasts its Bluetooth radio, meaning it can be tracked.

Revolar's device was also found to be vulnerable to Bluetooth tracking.

"While it wasn't nearly as easy to remotely track a Revolar owner, it is still possible to track the owner of either the Revolar or Wearsafe device from a distance via Bluetooth with inexpensive antennas that extend the scanning range," said Loveless.

"Both devices allow for Bluetooth scanning to identify the device as a personal protection device. Both devices allow for somewhat insecure Bluetooth pairing."

IoT panic button security report card [Source: Duo Labs]

El Reg asked both Wearsafe and Revolar to comment. ®

Sign up to our NewsletterGet IT in your inbox daily

18 Comments

More from The Register

Ignore that FBI. We're the real FBI, says the FBI that's totally the FBI

Don't open that malware mail from the Feds that's not from the Feds, Feds warn

FBI's flawed phone tally blamed on programming error. 7,800 unbreakable mobes? Er, um...

We meant 1,000. Maybe 2,000

FBI to World+Dog: Please, try turning it off and turning it back on

Feds trying to catalogue VPNFilter infections

FBI agents take aim at VPNFilter botnet, point finger at Russia, yell 'national security threat'

Feds warn admins malware is rather tough to destroy

Big bad Bluetooth blunder bug battered – check for security fixes

Crypto cockup lets middle-people spy on connections after snooping on device pairing

Google reveals rapid Bluetooth gadget connection tech

'Fast Pair' works on Androids and some audio devices, Google wants it in your car too

Former FBI boss Comey used private email for official business – DoJ

'I did not have an unclassified FBI connection at home that worked'

Congressional group asks FBI boss Wray to explain Apple lawsuit

How dark can crims really go?

No, it's not Intel's 5G chip Apple is ditching – it's the Sunny Peak Bluetooth, Wi-Fi part

Project axed after iGiant snubs Chipzilla's wireless silicon

New MeX-Files: The curious case of an evacuated US solar lab, the FBI – and bananas conspiracy theories

Of course, it's huge sun flares, Chinese spying, or ALIENS