Long before things “went viral” there was always a few “must have” toys each year that were in high demand. Cabbage Patch Kids, Transformers, or Teddy Ruxpin would cause virtual hysteria in parents trying to score a toy for a holiday gift. In 1998, that toy was a Furby — a sort of talking robot pet. You can still buy Furby, and as you might expect a modern one — a Furby Connect — is Internet-enabled and much smarter than previous versions. While the Furby has always been a target for good hacking, anything Internet-enabled can be a target for malicious hacking, as well. [Context Information Security] decided to see if they could take control of your kid’s robotic pet.
Thet Furby Connect’s path to the Internet is via BLE to a companion phone device. The phone, in turn, talks back to Hasbro’s (the toy’s maker) Amazon Web Service servers. The company sends out new songs, games, and dances. Because BLE is slow, the transfers occur in the background during normal toy operation.
Looking at BLE services, there was a common DFU service for uploading firmware and an interface for sending proprietary DLC files. They found an existing project that could send existing DLC files to the device and even replace audio in those files. However, the format of the DLC files appeared to be unknown outside of Hasbro.
Attacking the DLC files with a hex editor, some of it seemed pretty obvious. However, some of it was quite elusive. The post has a great blow-by-blow detail of the investigation and, as you can see in the video below, they were successful.
Hasbro didn’t seem too concerned about the security ramifications because an attacker would have to have proximity to the toy. It isn’t hard to think of cases where that’s not a great excuse, but we suppose it does cover the most common things you’d worry about.