Furby Rickroll demo: What fresh hell is this?
Toy-makers, please quit this rubbish, you're NO GOOD at security
Here's your future botnet, world: connected kids toys that will Rickroll their owners while hosing big servers and guessing the nuclear codes.
Hacker Jake Davis, once known as "Topiary" of LulzSec, plucked out the work of Florian Euchner, who pulled apart the Bluetooth variant that toy-maker Hasbro uses to update its "Furby" dolls with new content.
The video below the fold is equal parts cute and scary, but as you can see from Euchner's GitHub repo, he's well along the path to reverse-engineering Hasbro's Bluetooth.
“Furby can be interacted with stand-alone or while connected to the Android / iOS App 'Furby Connect World', which takes full control of Furby's movement and speech and sends updates it pulls from Hasbro's servers at Amazon AWS.”
He's already documented a decent amount of what goes on in a Furby's “brain” (two microcontrollers, a GeneralPlus chip that seems to handle movement, and a Nordic Semiconductor chip that runs Bluetooth Low Energy comms).
His documentation list covers Furby Bluetooth; the two chips' commands and responses; Furby's action sequences; the app update mechanism; a list of possible names for Furby; and the DLC files that bring new content and firmware upgrades into Furbies' brains.
With all that, you won't be surprised that he's also worked out how to flash a custom DLC, which is why Davis thought of botnets when he started tweeting about it:
A Furby that can be updated from "the app" is a Furby whose eyes will flash red and whose mouth will constantly sing Never Gonna Give You Up— Jake Davis (@DoubleJake) January 23, 2017
In his GitHub post, Euchner notes that no Furbies were harmed in the making of the hack: he didn't want to peel it open, partly because a Furby isn't cheap.
Here's a nice detail: if the documentation is correct, the Furby Connect World app doesn't bother with niceties like HTTPS for its startup connection:
“When first starting up, the Furby Connect World connects to a server http://fluff-gameupdates.s3.amazonaws.com/ and downloads in-game content, like the 3D models, background music and other sounds”.
Later, stuff gets encrypted – but Davis notes, with a suitable proxy, that wasn't a problem.
Since Euchner still has a few items on his to-do list, including working the structure of the DLC files, there's still plenty of fun to be had for tinkerers. ®
Bootnote: The author originally mis-attributed the work to Jake Davis. My apologies to Florian Euchner, and thanks to the reader who brought it to my attention. ®
Sponsored: Becoming a Pragmatic Security Leader