Heels on fire. Hacking smart ski socks

TL;DR

• A silly-season BLE connectivity story
• Overheat people’s smart ski socks
• …but only when in Bluetooth range AND when the owner’s phone is out of range of their feet!

Having experienced painfully cold feet several times over the years while skiing, including once at minus 42°C in the Canadian Rockies, I am a strong believer in heated ski socks!

Older versions required adjusting on the ski boot using awkward buttons – not easy with thick ski gloves. It also involved bending down and fiddling under layers of ski gear to find the battery pack.

Everything is smart nowadays, so I was pleased to find these smart socks from Therm-IC:

They don’t come cheap, around £200 for a pair of socks?! Yes, but the technology is impressive. Were they actually secure though?

Only the socks with high-end power packs have Bluetooth functionality, to connect to the app for smart functionality.

The power pack was trivially easy to connect to from the app, and controlling the heat output is simple. There’s also an Apple Watch app, making heat control even easier.

Were they secure?

So, first check was to determine if there was a BLE pair or bond between the app and the power pack.

Pairing mode

Nope. Fell at the first hurdle.

Worse, there was no requirement for a long press or similar on the controller pack to put it into pairing mode. They were always pairable when turned on, whether connected to a phone or not.

Heat regulation

This means that as soon as the wearer walked out of range of their phone the power packs could be connected to by anyone. Stopping for something to eat or drink and the skier will take their coat off before going for a comfort break, a regular scenario. The phone would likely be in their coat, so they’d be out of Bluetooth range. The sock controller would then be in a state that anyone could connect to.

We tried it. There was an interesting few minutes as our ‘victim’ (a willing volunteer from our team) slowly realised that their socks were now on maximum heat power. These socks really pump out the heat when you dial them up to 10. Expletives were directed at us, while they tried to figure out how to turn them down.

Too hot!

Their first option was via their own phone, but of course that was no longer connected to the socks. Our phone was though!

The next option is the power pack itself, which can be manually turned off after rummaging around the ski pants cuff. Then the other power pack. Then a look of relief as a pair of ski boots were rapidly removed to accompanying (stinky) steam.

Was there any chance of causing skin damage? Very unlikely as the power packs have a self regulating temperature limit.

Hardware crypto mining

We’ll cover this in detail in a follow up post in the new year, but initial poking at the hardware and mobile app suggests that arbitrary code execution may be possible on the battery pack controllers. There’s a chance we could get the batteries to mine crypto. More on that when we get time.

Conclusion

Is this a real risk? We don’t think so. There’s a bit of fun to be had pranking friends with fancy smart ski socks.

With physical access to the battery packs for a period of time, yes, we could bypass those temperature limits, but so could anyone with some electrical engineering skills.

In the meantime, enjoy toasty feet.