Site is down for me. archive.org works: http://web.archive.org/web/20171124170013/https://www.contex...

All it takes is a single goatse to appear on one child's furby's eyes or on a demo unit in a shop and the brand is ruined. I think they need to reconsider that response.

Perhaps you're unaware that an earlier edition of this product had a bug that made the device randomly speak with a terrifying satanic voice. My niece experienced it first hand

I had one when I was a kid. Hilariously it did the satanic voice after I threw it against a wall. Didn't do that again.

Not a bug. Working as intended.

I had no idea about that!

I agree, especially now that there's a rather comprehensive documentation available online clearly it doesn't require a "tremendous amount of engineering" to hack the device anymore.

It also seems like it would be rather trivial to mitigate this issue in an update, either by securing the BLE connection or by signing and verifying update payloads (or preferably both).

Even putting aside malicious use, which sounds hard, bricking the toy with a bad firmware patch sounds doable.

“Mooooom! Jane killed my furbie with an exploit!”

This is the cyberpunk future reality that the science fiction authors missed the ball on :)

This could be the perfect thing to announce a failing code build.....begone old traffic light systems, Jenkins + Furby could be a thing of beauty.

Company response is "Yeah, that's way too hard, nobody can do that".

Company response is so typical, it hurts to read.

Why? As long as it doesn't have a microphone/camera then this sounds like a positive.

And they don't collect any sort of personal data. Hasbro did a pretty solid job here minimizing risk surface area.

Bluetooth LE range is easily magnified with a cantenna. The device will play audio sent to it over an unencrypted unauthenticated link to your kids. Also it will show videos sent over the same link (but they must be small because eyes are small)

Both of these are problems for some parents.

Why don't they just enable basic Bluetooth security features instead of saying that it's too hard to exploit and leaving it at that?

Excellent write-up though.

Because they probably paid some contractor to design it and requesting this as an update would be expensive. Most likely some director doesn't think it's worth the money. Furthermore, the security team / one random guy who is now told to handle security duties after they got that e-mail most likely has an IT background and thinks reverse engineering embedded systems is impossibly difficult.

It would only be done if the press started publishing clickbait involving "THIS TOY IS WATCHING YOUR CHILDREN!!" as most IoT security not done by the top companies is entirely reactive.

Just a guess though. Never worked for Hasbo.

Are those features included in BLE? AFAIK it's a completely separate protocol than regular Bluetooth.

BLE supports pairing and bonding. It is optional, by default every connection is unencrypted and unauthenticated.

Pairing is a big paint point though AIUI, releasing this toy with the need to pair it first would probably have cost them significant numbers of returns. Not saying it's justified, but ...

Perhaps they could give away an optional tin-foil suit for furbies of owners who have security concerns!

Oh yeah, totally. BLE support on both android and iOS is lacking. Older versions of android, and I believe all versions of iOS (please correct me if I'm wrong) do not offer a programmatic way of supplying the pin for pairing. This means that when you programmatically connect to a BLE device from an app, the user will get a pin prompt. This prompt covers most of the screen so it really is a pain.

Though for the furby it shouldn't be too bad. Just display the pin on one of its eyes.

The company response stated:

> A tremendous amount of engineering would be required to reverse engineer the product as well as to create new firmware.

Which implies they failed to understand what they were being told. The engineering required to do this exploit has already been done, so it doesn't matter how hard it is. Once it's been done, it's been done.

I believe they ought to reevaluate that reaction.