Toy-makers, please quit this rubbish, you’re NO GOOD at security
Here’s your future botnet, world: connected kids toys that will Rickroll their owners while hosing big servers and guessing the nuclear codes.
Hacker Jake Davis, once known as “Topiary” of LulzSec, has pulled apart the Bluetooth variant that toy-maker Hasbro uses to update its “Furby” dolls with new content.

The video below the fold is equal parts cute and scary, but as you can see from Davis’ GitHub repo, he’s well along the path to reverse-engineering Hasbro’s Bluetooth.
“Furby can be interacted with stand-alone or while connected to the Android / iOS App ‘Furby Connect World’, which takes full control of Furby’s movement and speech and sends updates it pulls from Hasbro’s servers at Amazon AWS.”
He’s already documented a decent amount of what goes on in a Furby’s “brain” (two microcontrollers, a GeneralPlus chip that seems to handle movement, and a Nordic Semiconductor chip that runs Bluetooth Low Energy comms).
Youtube Video
His documentation list covers Furby Bluetooth; the two chips’ commands and responses; Furby’s action sequences; the app update mechanism; a list of possible names for Furby; and the DLC files that bring new content and firmware upgrades into Furbies’ brains.
With all that, you won’t be surprised that he’s also worked out how to flash a custom DLC, which is why Davis thought of botnets:

A Furby that can be updated from “the app” is a Furby whose eyes will flash red and whose mouth will constantly sing Never Gonna Give You Up
— Jake Davis (@DoubleJake) January 23, 2017
In his GitHub post, Davis notes that no Furbies were harmed in the making of the hack: he didn’t want to peel it open, partly because a Furby isn’t cheap.
Here’s a nice detail: if Davis’ documentation is correct, the Furby Connect World app doesn’t bother with niceties like HTTPS for its startup connection:
“When first starting up, the Furby Connect World connects to a server and downloads in-game content, like the 3D models, background music and other sounds”.
Later, stuff gets encrypted – but Davis notes, with a suitable proxy, that wasn’t a problem.
Since Davis still has a few items on his to-do list, including working the structure of the DLC files, there’s still plenty of fun to be had for tinkerers. ®
Sponsored: Customer Identity and Access Management

Leave a Reply