The other night my wife and I were invited to dinner by some friends. Their two kids took great delight in showing us one of the favourite toys they had received for Christmas: a BB-8 droid toy that you can control from your smartphone.
What's that? You don't know who BB-8 is? As the android star of the new Star Wars movie, he/she/it is destined to become this generation's R2-D2.
And the BB-8 remote control toy from Sphero looks like it's a lot of fun, as you can see in this YouTube video:
Wonderful isn't it? Well, not so fast...
Because Ken Munro at Pen Test Partners has been having a lot of fun playing with his BB-8 droid toy, paired via Bluetooth to the bundled app running on his Android smartphone, and after a little digging found that it suffers a fundamental security flaw:
"If you force a firmware update, it goes over HTTP. No SSL. Fail!"
Pen Test Partners informed Sphero of the issue, and they are apparently working on implementing proper SSL security for a future update.
Forunately, right now, according to Munro, there is not really any harm that could be done by exploiting the sloppy security as the droid's current functionality is very limited. So don't panic if you bought a BB-8 droid for
yourself your kids this Christmas.
"There doesn’t appear to be any personal data on the mobile app or the droid. There are no particularly useful sensors on it either, so it’s not like it could be used for spying on the user.
"There would have to be a near perfect storm in order to exploit this usefully: If there was a current vulnerability in the Android (or iOS) Bluetooth stack (we’re not aware of one) and the victim has a BB-8 and they do a firmware update whilst an attacker is in the locale then something could be compromised."
However, this is yet again proof that manufacturers are rushing into building internet-enabled devices without making security an integral part of the progress.
I would love to tell you that I have a new hope that 2016 will see the Internet of Things becoming smarter about security, but I have a bad feeling about this.