Star Wars' BB-8 turns to the dark side with rogue firmware update

A security hole has been found in one of the hottest toys to come out over Christmas, the BB-8 Star Wars droid by connected toymaker Sphero.

Any firmware updates to the toy are sent over open HTML, rather than the encrypted connection provided by SSL, foundKen Munro, of penetration testers Pen Test Partners, who branded the slip-up by Sphero as a "fail".

Code for the firmware

However, Munro admitted that, partly due to the functionality of the Internet of Things toy, there is "frankly not a lot [a hacker could do] right now".

"There doesn't appear to be any personal data on the mobile app or the droid. There are no particularly useful sensors on it either, so it's not like it could be used for spying on the user," said Munro in a blog post.

"There would have to be a near perfect storm in order to exploit this usefully:If there was a current vulnerability in the Android (or iOS) Bluetooth stack (we're not aware of one)andthe victim has a BB-8and they do a firmware update whilst an attacker is in the locale then something could be compromised."

Next steps for Pen Test Partners seem to be an attempt to put rogue software on the device and see if the researchers "could ... make it do some silly stuff, like head for the hills at high speed".

Another possibility would be to change the sound files on the associated app to make the cute little droid say some rather coarse things to the user - something the researchers previously achieved with a connected toy called My Friend Cayla, and which has been exploited by hackers in real life scenarios to shout at babies and toddlers through connected monitors.

Sphero's Star Wars BB-8 product is the latest in a series of high-profile toy hacks, which affected both Mattel and Vtech towards the end of last year.

"This is yet again proof that manufacturers are rushing into building internet-enabled devices withouth making security an integral part of the process," said security researcher Graham Cluley in a blog post.

"I would love to tell you that I have a new hope that 2016 will see the Internet of Things becoming smarter about security, but I have a bad feeling about this," Cluley added.

Paul Farrington of Veracode voiced a similar sentiment.

"This case once again demonstrated the vulnerable nature of connected devices in the home. As we are seeing with many IoT manufacturers, too many consumer technology companies just aren't considering security as of primary importance to their core business," he said.

"Many toy manufacturers are not used to the rigor around secure development that is essentional in today's environment and are inevitably falling short on security," he added.

Munro and his colleagues were somewhat more upbeat, however.

"WE LOVE BB-8. Great toy Sphero! But, Sphero could do a little better and implement SSL for their firmware updates. That this simple bug was missed suggests that security assurance could be more thorough. Maybe they accepted the risk, given it isn't a show stopping vulnerability," Munro said.

For its part, Sphero has said it is working on implementing SSL, although it has yet to give a timeline.

Jane McCallion
Managing Editor

Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.