Hacking makes the holidays so much more enjoyable, and nothing says trick or treat quite like pwning LED Halloween masks belonging to every neighborhood kid during candy-collection hours.

After purchasing a Bluetooth Low Energy (BLE) enabled mask with a programmable app for his family's "anything that glows" themed Halloween costumes, Bishop Fox senior security consultant Nathan Elendt discovered it was "shockingly easy" to load custom face images and control the mask with the app.

"I found the app automatically scanned for, found, and then controlled my brand new, out-of-the-box mask without so much as a single authentication check, giving me some insight into how these masks worked," he wrote in a Thursday blog. "It was fairly clear that there was no pairing or authentication checks ha

See Full Page