Ski & bike helmets protect your head, not location or voice

Researchers discovered that Livall’s ski and bike helmet apps used weak 6-digit group codes and lacked join approvals, allowing attackers to brute-force codes, silently join groups, track users’ real-time locations, and eavesdrop on push-to-talk audio; after a challenging disclosure process and media escalation, Livall implemented stronger alphanumeric join codes, though usability issues and disclosure process concerns remain, with impact spanning the larger bike app user base and smaller ski app cohort.