Star Wars' BB-8 turns to the dark side with rogue firmware update

Sphero's toy becomes the latest to suffer a major security vulnerability

A security hole has been found in one of the hottest toys to come out over Christmas, the BB-8 Star Wars droid by connected toymaker Sphero.

Any firmware updates to the toy are sent over open HTML, rather than the encrypted connection provided by SSL, foundKen Munro, of penetration testers Pen Test Partners, who branded the slip-up by Sphero as a "fail".

Code for the firmware

However, Munro admitted that, partly due to the functionality of the Internet of Things toy, there is "frankly not a lot [a hacker could do] right now".

"There doesn't appear to be any personal data on the mobile app or the droid. There are no particularly useful sensors on it either, so it's not like it could be used for spying on the user," said Munro in a blog post.

"There would have to be a near perfect storm in order to exploit this usefully:If there was a current vulnerability in the Android (or iOS) Bluetooth stack (we're not aware of one)andthe victim has a BB-8and they do a firmware update whilst an attacker is in the locale then something could be compromised."

Next steps for Pen Test Partners seem to be an attempt to put rogue software on the device and see if the researchers "could ... make it do some silly stuff, like head for the hills at high speed".

Another possibility would be to change the sound files on the associated app to make the cute little droid say some rather coarse things to the user - something the researchers previously achieved with a connected toy called My Friend Cayla, and which has been exploited by hackers in real life scenarios to shout at babies and toddlers through connected monitors.

Sphero's Star Wars BB-8 product is the latest in a series of high-profile toy hacks, which affected both Mattel and Vtech towards the end of last year.

"This is yet again proof that manufacturers are rushing into building internet-enabled devices withouth making security an integral part of the process," said security researcher Graham Cluley in a blog post.

"I would love to tell you that I have a new hope that 2016 will see the Internet of Things becoming smarter about security, but I have a bad feeling about this," Cluley added.

Paul Farrington of Veracode voiced a similar sentiment.

"This case once again demonstrated the vulnerable nature of connected devices in the home. As we are seeing with many IoT manufacturers, too many consumer technology companies just aren't considering security as of primary importance to their core business," he said.

"Many toy manufacturers are not used to the rigor around secure development that is essentional in today's environment and are inevitably falling short on security," he added.

Munro and his colleagues were somewhat more upbeat, however.

"WE LOVE BB-8. Great toy Sphero! But, Sphero could do a little better and implement SSL for their firmware updates. That this simple bug was missed suggests that security assurance could be more thorough. Maybe they accepted the risk, given it isn't a show stopping vulnerability," Munro said.

For its part, Sphero has said it is working on implementing SSL, although it has yet to give a timeline.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Global ransom DDoS extortionists are retargeting companies
distributed denial of service (DDOS)

Global ransom DDoS extortionists are retargeting companies

22 Jan 2021
BEC scammers are using Google Forms to identify easy victims
phishing

BEC scammers are using Google Forms to identify easy victims

21 Jan 2021
FBI warns of ongoing corporate vishing attacks
phishing

FBI warns of ongoing corporate vishing attacks

19 Jan 2021
Hackers using COVID vaccine as a lure to spread malware
hacking

Hackers using COVID vaccine as a lure to spread malware

15 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
Trump pardons convicted ex-Google engineer Levandowski
intellectual property

Trump pardons convicted ex-Google engineer Levandowski

20 Jan 2021