As the end-of-the-year holiday season approaches, many security researchers, consumer groups and even governments warn against buying specific products or, at least, to make an effort read up about potential risks before buying them.
In the last year or so, security researchers have tested many smart toys, and found them wanting in the security and privacy department. Even the FBI is making an effort to educate consumers about the potential dangers of such toys.
Security flaws of Furby Connect
Which? has asked information security Context IS to assess the security of the popular Furby Connect talking toy.
Furby Connect is manufactured by Hasbro, and somes with a smartphone app that connects the toy with the Internet and Hasbro’s AWS endpoints, from which it downloads updates and new downloadable content (songs, dances, and actions for the Furby Connect to perform).
“The Furby Connect’s predecessor, the Furby Boom, also featured an accompanying app, however communication between it and the Furby was accomplished by means of high-frequency audio. This time around, Hasbro have equipped the Furby Connect with a Bluetooth Low Energy (BLE) connection, allowing it to interface more reliably with its companion app,” the researchers explained.
After successfully sniffing the BLE connnection during a content update, they discovered many potential security pitfalls.
“Right off the bat, none of the standard Bluetooth LE security features (e.g. authenticated pairing or link encryption) were in use by either the app or the Furby Connect. This meant that anyone within range of the communication could intercept unencrypted packets, inject their own content, or establish their own connection with the toy – all without any physical interaction required on the part of the user or the attacker,” they noted.
“Furthermore, we also observed that the Furby Connect was exposing a number of services in addition to those involved in receiving [proprietary] DLC updates, including one whose UUID matched with that normally associated with the Nordic Semiconductor Over-The-Air Direct Firmware Update service (DFU OTA.) This is typically used by Nordic Semiconductor devices to receive firmware updates over a BLE connection, and has a newer version (which supports signature-based verification of firmware updates) and an older version (which doesn’t.) The UID matched the older version, meaning that anyone within range could in theory connect to the device and push their own unsigned firmare updates to it.”
They even succeeded in making the toy play specific audio files and show graphics in the Furby’s eyes. And, even though they didn’t have enough time to find a way to turn the Furby into a listening device, they believe this is possible to pull off by re-engineering its firmware and pushing it to the toy (which lacks firmware update authentication).
Hasbro has reacted to the report by saying that they “carefully designed the Furby Connect toy and the Furby Connect World app to comply with children’s privacy laws,” and that they’ve engaged a third party to perform security testing on both.
They played down the danger of the toy and app getting hacked.
“While the researchers at Which? identified ways to manipulate the Furby Connect toy, we believe that doing so would require close proximity to the toy, and that there are a number of very specific conditions that would all need to be satisfied in order to achieve the result described by the researchers at Which?, including reengineering the Furby Connect toy, creating new firmware, and then updating the firmware, which requires being within Bluetooth range while the Furby Connect toy is in a ‘woke’ state. A tremendous amount of engineering would be required to reverse engineer the product as well as to create new firmware,” they said.
They also added out that the toy and the app “were not designed to collect users’ name, address, online contact information or to permit users to create profiles to allow Hasbro to personally identify them, and the experience does not record your voice or otherwise use your device’s microphone.”