back to article Star Wars BB-8 toy in firmware update risk, say UK security bods

A Star Wars BB-8 internet of things toy comes with a vulnerability that leaves it open to malevolent influences of the Dark Side. The Sphero toy itself is very cute with some lovely functionality, with a slick mobile app. However, a preliminary assessment by UK security consultancy Pen Test Partners (PTP) has revealed a class …

  1. Christian Berger

    Again, running your own firmware is not a security problem

    Sure, firmware updates over the Internet should use HTTPs and perhaps some checksumming to check if you really have the firmware you wanted, however putting your own firmware onto a device is a right you have, not a security bug.

  2. SirWired 1

    I'm not real terrified...

    I'm guessing that the number of hackers that are going to mount a mass MiTM attack on a cute toy (outside of a hacker convention) is pretty small.

  3. cynic 2

    A good start

    Now pen-test the Death Stars. You know you want to.

    1. captain_solo

      Re: A good start

      I usually start with the Exhaust Port, they never secure that properly

      1. TheProf

        Re: A good start

        I'm sure chicken wire would keep a Proton Torpedo out.

  4. Daniel B.
    Boffin

    Interesting

    Not much of a vuln, but it can result in a MiTM attack. Wonder what kind of firmware would an attacker want to load a Sphero BB8 with?

    1. Message From A Self-Destructing Turnip

      Re: Interesting

      Dunno... some kind of malware that would shamelessly publicise their Pen Testing business, I expect.

      1. RubberJohnny

        Re: Interesting

        Wonder what kind of firmware would an attacker want to load a Sphero BB8 with?

        Something that could do some malicious work from the inside of your home network.

  5. Anonymous Coward
    Anonymous Coward

    "Wonder what kind of firmware would an attacker want to load a Sphero BB8 with?"

    Presumably only the Android app can access the internet - as the BB8 is connected via Bluetooth?

    However - if the BB8 can initiate connections with the internet - relayed via the app device - then it presumably can open ports on the router?

    If the BB8 Bluetooth is capable of being configured to Master mode then presumably it can control nearby devices which do have more capabilities useful to a hacker eg a printer that supports Bluetooth and wifi.

    1. This post has been deleted by its author

    2. NobbyNobbs

      I could imagine alternate firmware loaded for something like a BB-Father Jack, wanders around randomly swearing frequently.

      1. Hans Neeson-Bumpsadese Silver badge

        RE: @NobbyNobs

        "[...] wanders around randomly swearing frequently."

        That sounds like me...I guess being replaced by a robot is all part of progress

  6. pewpie

    New Functionality..

    Thas a good one..

    Like what? Charge per use?

  7. chivo243 Silver badge

    pairing?

    Does it pair with the lovely and hackable Barbie? Maybe there is something to the Toy Story ending?

    Maybe I should fire up the Teddy Ruxpin dolls that I have in storage?

  8. Kevin McMurtrie Silver badge
    WTF?

    Pen testing fail?

    Firmware updates don't use SSL because they're public information and they're digitally signed to prevent corruption/tampering. Until they update the article claiming that they've successfully altered the firmware, there is no vulnerability.

    1. Daniel Palmer

      Re: Pen testing fail?

      This is much like the barbie hack where they read out plain text data from the spi flash by wiring it up to a tool that talks to spi devices and did WiFi scans using features that are part of the firmware and used during provisioning.. They "hacked" nothing but made it sound like they did and sites posted their crap verbatim. Big head security reachers and clickbait news sites are a match made in heaven.

    2. Stoneshop Silver badge
      FAIL

      Re: Pen testing fail?

      The firmware file as present on the toy maker's servers is freely accessible and copyable (which is not quite the same as 'public information' though), but given the possibility of a MITM attack, can you be sure that the firmware on the toy is the file you downloaded? Whether that can only result in farty noises every few seconds because it's lacking sensors with which to spy on you is not the point; it being possible is, and now the makers are aware of it.

      1. Daniel Palmer

        Re: Pen testing fail?

        The transport used to get the firmware to the device doesn't matter if the firmware is signed. If they (the vendor) just rely on transport security to stop rogue firmware that would be a problem but they (pen testers) didn't show they could change the firmware and make the device download it and run it.

        All they have done is see something happens over a clear text protocol and made a noise about it.

  9. Anonymous Coward
    Anonymous Coward

    This is a waste of time

    Why are security researchers even bothering with crap like this. We have far more serious security issues than a hacker who happens to be within wifi range of a guy with an Android phone while he's updating the firmware on a toy. The odds of that are a million to one, and the harm doesn't even register on the threat-o-meter.

    What's the worst a hacker's firmware in a BB8 could do, annoy the cat by following it around everywhere making barking noises?

    1. BebopWeBop
      Devil

      Re: This is a waste of time

      Well first off it is a demonstrator - their services and an error in design that might well exist in more important systems.

      Secondly, anything that irritates my cats will result in life being made very unpleasant for the rest of us - they might stop their rodent patrol duties as well.

      1. heyrick Silver badge

        Re: This is a waste of time

        "an error in design that might well exist in more important systems"

        While this is undoubtedly true, would it not make more sense to uncover actual flaws in actual important systems, instead of hacking a toy with few sensors and stuff onboard and then extrapolating what this means?

        You know, my Bluetooth headphones don't ask me to enter a PIN. Security fail?

    2. TitterYeNot

      Re: This is a waste of time

      "What's the worst a hacker's firmware in a BB8 could do, annoy the cat by following it around everywhere making barking noises?"

      Junior - Hey BB-8, whats up? Why've you stopped rolling?

      BB-8 - Beep Beep Whir...Updating firmware...Please wait...Updating firmware...

      Junior - Hey, what's going on? Dad? BB-8's broken!

      BB-8 - <Jar Jar Binks voice> Mesa no broken! Ooh mooey mooey I love yousa!

      Junior - FFFFFFFFFFFFFFFFUUUUUUUUUUUUUUUU...

    3. dajames Silver badge

      Re: This is a waste of time

      What's the worst a hacker's firmware in a BB8 could do, annoy the cat by following it around everywhere making barking noises?

      It can't even do that ... the BB8 toy has no sensors with which to detect the cat, and no audio out with which to bark (sounds can be made by the controlling smartphone app, but not by the BB8 itself).

  10. Chris Gray 1
    Meh

    No internal sounds

    The BB-8 (yes, I have one - new app this morning with new preprogrammed buttons) does not have internal speakers or microphone. It can only drive around and blink lights in limited fashions. So, other than perhaps trying to pair with other devices, there isn't much it can do to hurt things. There is nothing at all in the "head" - just 2 magnets and some wheels to let it roll around the main ball.

    1. Anonymous Coward
      Anonymous Coward

      Re: No internal sounds

      There is nothing at all in the "head" - just 2 magnets and some wheels to let it roll around the main ball.

      Many politicians have this configuration. It has stood the test of time!

      1. wagonman

        Re: No internal sounds

        Thank you! Well put.

        vagnman

  11. Chris King

    Why worry about making BB-8 swear ?

    R2-D2 must have been a real potty-mouth, because everything he said was bleeped out.

    1. Comfy Chairs

      Re: Why worry about making BB-8 swear ?

      Watching the originals with the mindset that everything R2-D2 bleeps is on par with a drunken uncle spouting obscenities and racial slurs makes for a very entertaining take on the movies.

  12. Anonymous Coward
    Anonymous Coward

    Toy review

    ... the researchers said there are no useful sensors to speak of and no personal information.

    Sounds like a great toy... matches the description of lump of coal... only that goes faster (when i throw it).

  13. yoganmahew

    Bluetooth pin?

    Good luck figuring it out from the flashing lights.

    Not everything needs to be super secure - appropriate security is what's required...

    1. dajames Silver badge

      Re: Bluetooth pin?

      Good luck figuring it out from the flashing lights.

      In the case of a Bt controlled toy, the use for a PIN would be to control which Bt devices could control the toy. The PIN wouldn't need to be a dynamic value, or to be entered at the toy itself. A fixed PIN per device, set at the factory and printed on a label in the box, would be sufficient.

      Would that be more security than is appropriate? I suppose it depends how worried you are that someone else might decide that yours was just the droid he'd been looking for.

      Getting the device to flash the PIN out on its lights could be handy in case the printed label got lost. Nice idea.

  14. Anonymous Coward
    Anonymous Coward

    very cute with some lovely functionality

    such as...

    oh, I forgot, it rolls and emits bleeps.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022