Blog: Android

Star Wars BB-8 IoT toy: awesome fun, but can it be turned to the Dark Side with this vulnerability?

Ken Munro 06 Jan 2016

BB-8pic

Like all Star Wars fans, we are all over the merchandise. Hence, when we saw the amazing BB-8 IoT toy from Sphero, we HAD to have one.

It was of course purely for security research, but we had to have a play with it first. We were very impressed. The mobile app is very slick, the toy itself is very cute with some lovely functionality. Very appealing to those who love Star Wars. Watching it go out on ‘patrol’ and explore the office had us all laughing.

There’s a promotional video here
and it pretty much lives up to expectations set in the video.

Yes, it’s expensive at over £100 but I would say worth it.

 

HOWEVER

I spent a few minutes poking around the Android app that controls the BB-8. It talks to the droid over Bluetooth. There’s no PIN security in the pairing process, but I haven’t got round to investigating whether there’s anything that can be done there.

Various sources have indicated that around 15% or more of all Android apps in the Play store have issues with unprotected communication over the internet. That certainly correlates with our findings when testing Android apps.

So I spent some time rummaging around and MITM’d the wireless connection.

And here’s what I found. If you force a firmware update, it goes over HTTP. No SSL. Fail!

Evidence of this can be found by wiresharking the connection. It points at http://update.orbotix.com/sphero/current/ and constructs a request for the correct firmware.

For example: http://update.orbotix.com/sphero/current/SpheroM4Mix-3.73.bin

This is further revealed in the code in com.orbotix.fimware.e.class, here we can see it constructing the request:

BB-8code

We put this privately to Sphero, who were very responsive & acknowledged the bug. Props to Sphero!

SSL is being implemented currently, though a timeline hasn’t been shared with us.

What could you do with this?

Frankly, not a lot right now. That’s why I’m talking about it in public before an update has been published. There doesn’t appear to be any personal data on the mobile app or the droid. There are no particularly useful sensors on it either, so it’s not like it could be used for spying on the user.

There would have to be a near perfect storm in order to exploit this usefully: If there was a current vulnerability in the Android (or iOS) Bluetooth stack (we’re not aware of one) and the victim has a BB-8 and they do a firmware update whilst an attacker is in the locale then something could be compromised.

What next?

We want to have a look at the firmware to see what’s in there. Binwalk wasn’t immediately forthcoming with useful stuff, so more time needs spent there.

Popping rogue firmware on to the BB-8 would be interesting, particularly if we find functionality on there that would be of use. Could we make it do some silly stuff, like head for the hills at high speed? Could we turn it to the DARK SIDE?

Quick analysis of the protocol by my colleague Dave was interesting; it’s a simple binary protocol:

e.g

ROTATION_RATE = new RobotCommandId(“ROTATION_RATE”, 3, 3);

So it might be fun to write our own client for it and also fuzz it to see if there’s any undocumented functionality.

It would also be fairly trivial to change the sound files on the app to make it say stuff to the user. I’ll bet we could make BB-8 swear too.

The Bluetooth implementation also needs looking at. No pairing security isn’t an issue for BB-8 in its current guise, but if new functionality emerges in future…

We also really want to have a look at the new wrist controller or ‘Force Band’ for the BB-8 announced at CES this week. Another cool toy!

Conclusion

WE LOVE BB-8. Great toy Sphero!

But, Sphero could do a little better and implement SSL for their firmware updates. That this simple bug was missed suggests that security assurance could be more thorough. Maybe they accepted the risk, given it isn’t a show-stopping vulnerability.

Though, they did a great job of acknowledging the bug and have a plan to get it fixed. A cool vendor.