14 DAY TRIAL // A Star Wars toy created by Sphero that has IoT capabilities is vulnerable to firmware update hijacking, but security researchers say it can't be turned to the Dark Side, just yet.
Along with the release of "Star Wars Episode 7," a bunch of new toys were also launched, especially for the new trilogy's main characters.
One of those characters is the loveable BB-8 droid, who was actually a real-life, remote-controlled, fully functioning robot, who made it very easy to scale down and later turn into a children's toy.
BB-8 (the toy) is vulnerable to firmware update hijacking
The version sold by Sphero comes with an Android and iOS app, which children can use to control their toy via Bluetooth.
According to Pen Test Partners researchers, the toy can be hacked, but unlike other smart IoT devices, the damages are not actually that critical.
Security researchers say that the firmware update process is flawed because it takes place via HTTP, but the lack of any privacy-intrusive sensors or data collection features makes hijacking the toy a time-wasting operation.
Unless the hacker wants to change the toy's sound files and scare children, hijacking the firmware may not help them at all.
If left unfixed, the vulnerability could be dangerous in the future
Because toys get upgrades and new features all the time, the researchers contacted Sphero and let them know of the issue so they could fix it now before future versions of the toy put kids and their data at risk.
A worse-case scenario would be if a future BB-8 toy version featured a camera, allowing the kid to see where their toy goes. If Sphero doesn't fix the firmware update process, this would allow a third-party to hijack the toy and use to spy on the kid.
On top of this, researchers also found a problem with the Bluetooth stack used to connect the phone to the toy, which didn't use a PIN. However, researchers say that many other apps and toys that use Bluetooth pairing fail to protect this connection as well.
Hackers can't make BB-8 turn to the Dark Side
"There would have to be a near perfect storm in order to exploit this usefully," the researchers concluded. "If there was a current vulnerability in the Android (or iOS) Bluetooth stack (we’re not aware of one) and the victim has a BB-8 and they do a firmware update whilst an attacker is in the locale then something could be compromised."
Even if it wasn't a critical issue, Sphero has confirmed to the researchers that the firmware update process will be moved to SSL in upcoming versions.
Pen Test Partners is a company specialized in hacking IoT devices. Previously, they hacked smart fridges, water kettles, GoPro cameras, and smart TVs.
