BB-8 Star Wars droid toy. The insecurity is strong with this one


BB-8 toyThe other night my wife and I were invited to dinner by some friends. Their two kids took great delight in showing us one of the favourite toys they had received for Christmas: a BB-8 droid toy that you can control from your smartphone.

What’s that? You don’t know who BB-8 is? As the android star of the new Star Wars movie, he/she/it is destined to become this generation’s R2-D2.

And the BB-8 remote control toy from Sphero looks like it’s a lot of fun, as you can see in this YouTube video:

Wonderful isn’t it? Well, not so fast…

Because Ken Munro at Pen Test Partners has been having a lot of fun playing with his BB-8 droid toy, paired via Bluetooth to the bundled app running on his Android smartphone, and after a little digging found that it suffers a fundamental security flaw:

If you force a firmware update, it goes over HTTP. No SSL. Fail!”

Bb 8 code

Pen Test Partners informed Sphero of the issue, and they are apparently working on implementing proper SSL security for a future update.

Forunately, right now, according to Munro, there is not really any harm that could be done by exploiting the sloppy security as the droid’s current functionality is very limited. So don’t panic if you bought a BB-8 droid for yourself your kids this Christmas.

There doesn’t appear to be any personal data on the mobile app or the droid. There are no particularly useful sensors on it either, so it’s not like it could be used for spying on the user.

There would have to be a near perfect storm in order to exploit this usefully: If there was a current vulnerability in the Android (or iOS) Bluetooth stack (we’re not aware of one) and the victim has a BB-8 and they do a firmware update whilst an attacker is in the locale then something could be compromised.”

However, this is yet again proof that manufacturers are rushing into building internet-enabled devices without making security an integral part of the progress.

I would love to tell you that I have a new hope that 2016 will see the Internet of Things becoming smarter about security, but I have a bad feeling about this.

Tags: , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , ,

5 Responses

  1. coyote

    January 11, 2016 at 1:12 am #

    Bad as it is, I would be surprised if it doesn’t worsen. That’s of course a scary problem but I think it’s the only reality we’ll see: they only care about ‘the benefits’ (as well as making them seem necessary therefore further fuelling the belief that it is a ‘need’ instead of a ‘want’ as it is actually the latter) and the profit but are completely unaware of just how bad they are making things (literally and figuratively). It’s shameful and reckless greed (… greed for attention, greed for profit, etc.).

  2. Techno

    January 11, 2016 at 9:25 am #

    This is not the droid you’re.….

    OK, I’ll get my coat.

  3. Octerain

    January 11, 2016 at 10:20 am #

    The force is strong with this one hmm hmm.

  4. Kylo Fuckin Ren

    January 11, 2016 at 11:39 am #

    Did he actually verify that the firmware updates aren’t signed? iOS does not use HTTPS for OS or App Store updates because the files are signed and the sigs verified. There is no point adding the computational overhead of HTTPS when you only care about authentication and not confidentiality. This is some Troy Hunt level security research right here.

  5. Really

    January 12, 2016 at 3:20 am #

    Sphere founder claims to be a former pen tester.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.