The other night my wife and I were invited to dinner by some friends. Their two kids took great delight in showing us one of the favourite toys they had received for Christmas: a BB-8 droid toy that you can control from your smartphone.
What’s that? You don’t know who BB-8 is? As the android star of the new Star Wars movie, he/she/it is destined to become this generation’s R2-D2.
And the BB-8 remote control toy from Sphero looks like it’s a lot of fun, as you can see in this YouTube video:
Wonderful isn’t it? Well, not so fast…
Because Ken Munro at Pen Test Partners has been having a lot of fun playing with his BB-8 droid toy, paired via Bluetooth to the bundled app running on his Android smartphone, and after a little digging found that it suffers a fundamental security flaw:
“If you force a firmware update, it goes over HTTP. No SSL. Fail!”
Pen Test Partners informed Sphero of the issue, and they are apparently working on implementing proper SSL security for a future update.
Forunately, right now, according to Munro, there is not really any harm that could be done by exploiting the sloppy security as the droid’s current functionality is very limited. So don’t panic if you bought a BB-8 droid for yourself your kids this Christmas.
“There doesn’t appear to be any personal data on the mobile app or the droid. There are no particularly useful sensors on it either, so it’s not like it could be used for spying on the user.
“There would have to be a near perfect storm in order to exploit this usefully: If there was a current vulnerability in the Android (or iOS) Bluetooth stack (we’re not aware of one) and the victim has a BB-8 and they do a firmware update whilst an attacker is in the locale then something could be compromised.”
However, this is yet again proof that manufacturers are rushing into building internet-enabled devices without making security an integral part of the progress.
I would love to tell you that I have a new hope that 2016 will see the Internet of Things becoming smarter about security, but I have a bad feeling about this.
Bad as it is, I would be surprised if it doesn't worsen. That's of course a scary problem but I think it's the only reality we'll see: they only care about 'the benefits' (as well as making them seem necessary therefore further fuelling the belief that it is a 'need' instead of a 'want' as it is actually the latter) and the profit but are completely unaware of just how bad they are making things (literally and figuratively). It's shameful and reckless greed (… greed for attention, greed for profit, etc.).
This is not the droid you're…..
OK, I'll get my coat.
The force is strong with this one hmm hmm.
Did he actually verify that the firmware updates aren't signed? iOS does not use HTTPS for OS or App Store updates because the files are signed and the sigs verified. There is no point adding the computational overhead of HTTPS when you only care about authentication and not confidentiality. This is some Troy Hunt level security research right here.
Sphere founder claims to be a former pen tester.