Star Wars BB-8 vulnerable to firmware hacking

Pen-testers manage to access insecure firmware update process on Star Wars BB-8

Star Wars BB-8 vulnerable to firmware hacking
Star Wars BB-8 vulnerable to firmware hacking

A Star Wars toy has been shown to be vulnerable to hacking, however, researchers said the gadget can't go over to the dark side at the moment.

According to researchers at security consultancy Pen Test Partners, the BB-8 droid can be hacked, although this may not be that critical.

One problem exists in the way the device, made by Sphero, is updated. In a blog post, Ken Munro said that the app that is used with the droid to control it doesn't use encrypted communications during a firmware update.

According to the firm, a firmware update happens over HTTP instead of using an SSL connection (according to Wireshark logs used to test the security of the toy). An attacker on the same WiFi network as an Android phone could pair with the toy and carry out a Man-in-the-Middle attack.

The firm also discovered that there is no PIN security in the Bluetooth pairing process.

Pen Test Partners admitted that the as there was a lack of personal data collected by the robot and no camera that could be used by hackers to spy on people that hackers would probably not waste time on hijacking the toy.

“There would have to be a near perfect storm in order to exploit this usefully: If there was a current vulnerability in the Android (or iOS) Bluetooth stack (we're not aware of one) and the victim has a BB-8 and they do a firmware update whilst an attacker is in the locale then something could be compromised,” said Munro.

“Popping rogue firmware on to the BB-8 would be interesting, particularly if we find functionality on there that would be of use. Could we make it do some silly stuff, like head for the hills at high speed? Could we turn it to the DARK SIDE?” he added.

Munro said it would be fairly trivial to change sound files on the app to make it say things to the user. He added that his firm had been in contact with Sphero and said it was “very responsive and acknowledged the bug”.

“Sphero could do a little better and implement SSL for their firmware updates. That this simple bug was missed suggests that security assurance could be more thorough. Maybe they accepted the risk, given it isn't a show-stopping vulnerability,” he said. “Though, they did a great job of acknowledging the bug and have a plan to get it fixed. A cool vendor.”

Richard Cassidy, technical director EMEA at Alert Logic, told SCMagazineUK.com that with regards to the cleartext transfer of data over wireless networks for updates, this can only be seen as lackadaisical by the vendor.

“To capitalise on the update flaw, attackers would have to enact a MITM attack, however there are a host of tools and online resources far too easily available today to allow attackers to compromise home wireless networks with weak/insecure encryption keys/passwords. In this respect it's indeed a flaw, but risk levels remain relatively low,” he said.

“This is not the first time we seen the “internet of things” become almost a playtime target for hackers. It absolutely highlights the fact that vendors need to pay a great deal more attention to security measures for household appliances and toys, especially where children are concerned.”

Internet-connected toys and toy manufacturers have been shown of late to be not fully up to speed with protecting toys and users. Last December, VTech revealed how big a data breach it had suffered when hackers gained access to 6.4 million account details of parents that bought VTech toys and the children that played with them. Hello Kitty said goodbye to the details of 3.3 million children accessed because of a vulnerability in its MongoDB databases.

The Hello Barbie toy was shown to be vulnerable to the POODLE attack.