Star Wars' BB-8 turns to the dark side with rogue firmware update
Sphero's toy becomes the latest to suffer a major security vulnerability
A security hole has been found in one of the hottest toys to come out over Christmas, the BB-8 Star Wars droid by connected toymaker Sphero.
Any firmware updates to the toy are sent over open HTML, rather than the encrypted connection provided by SSL, foundKen Munro, of penetration testers Pen Test Partners, who branded the slip-up by Sphero as a "fail".
Code for the firmware
However, Munro admitted that, partly due to the functionality of the Internet of Things toy, there is "frankly not a lot [a hacker could do] right now".
"There doesn't appear to be any personal data on the mobile app or the droid. There are no particularly useful sensors on it either, so it's not like it could be used for spying on the user," said Munro in a blog post.
"There would have to be a near perfect storm in order to exploit this usefully:If there was a current vulnerability in the Android (or iOS) Bluetooth stack (we're not aware of one)andthe victim has a BB-8and they do a firmware update whilst an attacker is in the locale then something could be compromised."
Next steps for Pen Test Partners seem to be an attempt to put rogue software on the device and see if the researchers "could ... make it do some silly stuff, like head for the hills at high speed".
Another possibility would be to change the sound files on the associated app to make the cute little droid say some rather coarse things to the user - something the researchers previously achieved with a connected toy called My Friend Cayla, and which has been exploited by hackers in real life scenarios to shout at babies and toddlers through connected monitors.
"This is yet again proof that manufacturers are rushing into building internet-enabled devices withouth making security an integral part of the process," said security researcher Graham Cluley in a blog post.
"I would love to tell you that I have a new hope that 2016 will see the Internet of Things becoming smarter about security, but I have a bad feeling about this," Cluley added.
Paul Farrington of Veracode voiced a similar sentiment.
"This case once again demonstrated the vulnerable nature of connected devices in the home. As we are seeing with many IoT manufacturers, too many consumer technology companies just aren't considering security as of primary importance to their core business," he said.
"Many toy manufacturers are not used to the rigor around secure development that is essentional in today's environment and are inevitably falling short on security," he added.
Munro and his colleagues were somewhat more upbeat, however.
"WE LOVE BB-8. Great toy Sphero! But, Sphero could do a little better and implement SSL for their firmware updates. That this simple bug was missed suggests that security assurance could be more thorough. Maybe they accepted the risk, given it isn't a show stopping vulnerability," Munro said.
For its part, Sphero has said it is working on implementing SSL, although it has yet to give a timeline.
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Evaluate your order-to-cash process
15 recommended metrics to benchmark your O2C operationsDownload now
AI 360: Hold, fold, or double down?
How AI can benefit your businessDownload now
Getting started with Azure Red Hat OpenShift
A developer’s guide to improving application building and deployment capabilitiesDownload now