Star Wars' BB-8 turns to the dark side with rogue firmware update

Sphero's toy becomes the latest to suffer a major security vulnerability

A security hole has been found in one of the hottest toys to come out over Christmas, the BB-8 Star Wars droid by connected toymaker Sphero.

Any firmware updates to the toy are sent over open HTML, rather than the encrypted connection provided by SSL, foundKen Munro, of penetration testers Pen Test Partners, who branded the slip-up by Sphero as a "fail".

Code for the firmware

However, Munro admitted that, partly due to the functionality of the Internet of Things toy, there is "frankly not a lot [a hacker could do] right now".

"There doesn't appear to be any personal data on the mobile app or the droid. There are no particularly useful sensors on it either, so it's not like it could be used for spying on the user," said Munro in a blog post.

"There would have to be a near perfect storm in order to exploit this usefully:If there was a current vulnerability in the Android (or iOS) Bluetooth stack (we're not aware of one)andthe victim has a BB-8and they do a firmware update whilst an attacker is in the locale then something could be compromised."

Next steps for Pen Test Partners seem to be an attempt to put rogue software on the device and see if the researchers "could ... make it do some silly stuff, like head for the hills at high speed".

Another possibility would be to change the sound files on the associated app to make the cute little droid say some rather coarse things to the user - something the researchers previously achieved with a connected toy called My Friend Cayla, and which has been exploited by hackers in real life scenarios to shout at babies and toddlers through connected monitors.

Sphero's Star Wars BB-8 product is the latest in a series of high-profile toy hacks, which affected both Mattel and Vtech towards the end of last year.

"This is yet again proof that manufacturers are rushing into building internet-enabled devices withouth making security an integral part of the process," said security researcher Graham Cluley in a blog post.

"I would love to tell you that I have a new hope that 2016 will see the Internet of Things becoming smarter about security, but I have a bad feeling about this," Cluley added.

Paul Farrington of Veracode voiced a similar sentiment.

"This case once again demonstrated the vulnerable nature of connected devices in the home. As we are seeing with many IoT manufacturers, too many consumer technology companies just aren't considering security as of primary importance to their core business," he said.

"Many toy manufacturers are not used to the rigor around secure development that is essentional in today's environment and are inevitably falling short on security," he added.

Munro and his colleagues were somewhat more upbeat, however.

"WE LOVE BB-8. Great toy Sphero! But, Sphero could do a little better and implement SSL for their firmware updates. That this simple bug was missed suggests that security assurance could be more thorough. Maybe they accepted the risk, given it isn't a show stopping vulnerability," Munro said.

For its part, Sphero has said it is working on implementing SSL, although it has yet to give a timeline.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now


Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
The benefits of workload optimisation

The benefits of workload optimisation

16 Jul 2021