BB8 toy by Sphero
Security researchers have found a vulnerability in the BB8 toy's Android app, which highlights the issues with IoT devices Sphero

Security researchers have discovered a security vulnerability in the Star Wars BB8 toy by Sphero that makes it vulnerable to being hijacked and remotely controlled by hackers, or made to swear at people who play with it.

The Star Wars BB8 App-Enabled Droid toy was one of the most popular gifts during Christmas 2015, particularly because it is comes paired with a mobile app for both iOS and Android that lets users remotely control the robot from their smartphones or tablets.

But now researchers from penetration testing firm Pen Test Partners have discovered that the BB8 toy is plagued by a security vulnerability that affects over 15% of all Android apps on the Google Play store.

"If you force a firmware update, it goes over HTTP. No SSL. Fail!" Ken Munro, senior partner at Pen Test Partners wrote in a blog post. The firm notified Sphero who have acknowledged the bug and say they plan to update the app, but the update hasn't yet been published.

The researchers say that the BB8 app doesn't contain any personal data or any useful sensors, so although a hacker could run a man-in-the-middle-attack if they were within Wi-Fi range of the toy and the Android device paired to it, there's not much that a hacker could really do with the vulnerability. For example, the hacker certainly wouldn't be able to hijack your smartphone to turn on your microphone or camera to spy on you, or access any important details about you.

"There would have to be a near perfect storm in order to exploit this usefully: If there was a current vulnerability in the Android (or iOS) Bluetooth stack (we're not aware of one) and the victim has a BB8 and they do a firmware update whilst an attacker is in the locale then something could be compromised," wrote Munro.

Make sure to secure traffic in IoT-enabled devices

However, Munro says that the point of highlighting the BB8 toy security vulnerability isn't to scare users, but rather to highlight the problems with the fast-growing number of Internet of Things (IoT)-enabled devices, where cybersecurity mistakes can sometimes occur.

IoT refers to smart devices that wirelessly send information back to a computer server or smartphone app to help people make better decisions, keep tabs on machines to prevent problems and better use their resources.

If the same HTTP unsecured traffic mistake happened with a wireless device such as a router and hackers were able to hijack it, the stakes would be much higher, so it is just as well that the BB8 app is limited to only contacting the BB8 robot toy by Bluetooth, although the researchers also noted that the Bluetooth pairing process doesn't have PIN security, although that isn't a huge issue at the moment.

"We have done extensive research into the delivery mechanism of our firmware. While the things the [blog] article points out are true, we have absolutely no concerns about any vulnerability that would lead to a poor user experience," Sphero told The Register.

"We acknowledge the concern over the security of IoT devices, and would like to lead the Connected Play space with security at the forefront of our strategy."