BB-8 Star Wars droid toy. The insecurity is strong with this one

Graham Cluley
Graham Cluley
@[email protected]

BB-8 toyThe other night my wife and I were invited to dinner by some friends. Their two kids took great delight in showing us one of the favourite toys they had received for Christmas: a BB-8 droid toy that you can control from your smartphone.

What’s that? You don’t know who BB-8 is? As the android star of the new Star Wars movie, he/she/it is destined to become this generation’s R2-D2.

And the BB-8 remote control toy from Sphero looks like it’s a lot of fun, as you can see in this YouTube video:

BB-8 App-Enabled Droid || Built by Sphero

Sign up to our free newsletter.
Security news, advice, and tips.

Wonderful isn’t it? Well, not so fast…

Because Ken Munro at Pen Test Partners has been having a lot of fun playing with his BB-8 droid toy, paired via Bluetooth to the bundled app running on his Android smartphone, and after a little digging found that it suffers a fundamental security flaw:

“If you force a firmware update, it goes over HTTP. No SSL. Fail!”

Bb 8 code

Pen Test Partners informed Sphero of the issue, and they are apparently working on implementing proper SSL security for a future update.

Forunately, right now, according to Munro, there is not really any harm that could be done by exploiting the sloppy security as the droid’s current functionality is very limited. So don’t panic if you bought a BB-8 droid for yourself your kids this Christmas.

“There doesn’t appear to be any personal data on the mobile app or the droid. There are no particularly useful sensors on it either, so it’s not like it could be used for spying on the user.

“There would have to be a near perfect storm in order to exploit this usefully: If there was a current vulnerability in the Android (or iOS) Bluetooth stack (we’re not aware of one) and the victim has a BB-8 and they do a firmware update whilst an attacker is in the locale then something could be compromised.”

However, this is yet again proof that manufacturers are rushing into building internet-enabled devices without making security an integral part of the progress.

I would love to tell you that I have a new hope that 2016 will see the Internet of Things becoming smarter about security, but I have a bad feeling about this.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

5 comments on “BB-8 Star Wars droid toy. The insecurity is strong with this one”

  1. coyote

    Bad as it is, I would be surprised if it doesn't worsen. That's of course a scary problem but I think it's the only reality we'll see: they only care about 'the benefits' (as well as making them seem necessary therefore further fuelling the belief that it is a 'need' instead of a 'want' as it is actually the latter) and the profit but are completely unaware of just how bad they are making things (literally and figuratively). It's shameful and reckless greed (… greed for attention, greed for profit, etc.).

  2. Techno

    This is not the droid you're…..

    OK, I'll get my coat.

  3. Octerain

    The force is strong with this one hmm hmm.

  4. Kylo Fuckin Ren

    Did he actually verify that the firmware updates aren't signed? iOS does not use HTTPS for OS or App Store updates because the files are signed and the sigs verified. There is no point adding the computational overhead of HTTPS when you only care about authentication and not confidentiality. This is some Troy Hunt level security research right here.

  5. Really

    Sphere founder claims to be a former pen tester.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.