Star Wars BB-8 toy in firmware update risk, say UK security bods

A Star Wars BB-8 internet of things toy comes with a vulnerability that leaves it open to malevolent influences of the Dark Side.

The Sphero toy itself is very cute with some lovely functionality, with a slick mobile app. However, a preliminary assessment by UK security consultancy Pen Test Partners (PTP) has revealed a class of vulnerability that’s commonplace in mobile apps, particularly those developed with the fast growing IoT market in mind.

Around 15 per cent or more of all Android apps in the Play store have issues with unprotected communication over the internet. Security researchers at PTP discovered that this is also true of the Android app that controls the BB-8 toy.

If you force a firmware update, it goes over HTTP instead of through a secure SSL connection, as evidenced by Wireshark logs on tests on the toy to PTP. Hackers within Wi-Fi range of an Android smartphone paired with the toy could therefore run a man-in-the-middle-attack.

However, simply changing the firmware on the toy would not enable a hacker to mount a more serious attack on a home network or something worth worrying about. The bug is not serious but worth mentioning as it illustrates a class of mistake that poses a much greater risk if it applied to a home hub or router.

“Popping rogue firmware on to the BB-8 would be interesting, particularly if we find functionality on there that would be of use,” a blog post by Pen Test Partners explains. “Could we make it do some silly stuff, like head for the hills at high speed?”

“It would also be fairly trivial to change the sound files on the app to make it say stuff to the user. I’ll bet we could make BB-8 swear too,” it adds.

The later comment is a reference to previous work by PTP researcher that changed the sound files on the My Friend Cayla toy and turned the doll into a potty-mouth princess.

The security researchers’ latest work on the galactic toy is even more a case of security researchers messing around with cool kit they’ve managed to get their hands on rather than discovering a fiendish hack.

The absence of SSL from updates is best described as an oversight rather than a a show-stopping vulnerability. PTP only went public on the vulnerability after contact the vendor, which proved receptive and promised an update, and after concluding that the security weaknesses failed to pose any meaningful risk.

“There doesn’t appear to be any personal data on the mobile app or the droid,” PTP explains. “There are no particularly useful sensors on it either, so it’s not like it could be used for spying on the user.”

Sphero told The Register: "We have done extensive research into the delivery mechanism of our firmware. While the things the [blog] article points out are true, we have absolutely no concerns about any vulnerability that would lead to a poor user experience.

"We acknowledge the concern over the security of IoT devices, and would like to lead the Connected Play space with security at the forefront of our strategy."

The Android app that controls the BB-8 talks to the droid over Bluetooth. PTP found there’s no PIN security in the pairing process, another relative minor security bug. PTP commented: “No pairing security isn’t an issue for BB-8 in its current guise, but if new functionality emerges in future."®