Is your New Toy Hackable?

29 Dec

Over the last few days, many children will have received gifts of the latest interconnected toys. Sadly as a security community we know many of these will be insecure. We’ve seen lots of reports about how Barbie and Cayla can be easily hacked.

Some have claimed there is not yet a toy they’ve found that they could not break into.

I am looking forward to a news story along the following lines…
Barbie Hack newspaper

“As experienced penetration testers we’ve tried everything we know, but can’t break it:

  • Reverse engineering the controlling app, to inspect the source code. No hidden passwords or points of interest found;
  • Web connections all use TLS with pinned certificates, and we can’t get the keys;
  • Entropy of the symmetric TLS session keys is good too;
  • The cloud service stacks up to penetration testing. SQL injections did not work;
  • Network sniffer tools found nothing to cause alarm;
  • We extracted the toy firmware, reverse engineered it, no problems found;
  • We pulled the hardware apart, no removable hidden micro SD cards to play with;
  • No control ports we could do anything useful with;
  • Overflowed any buffers we could find, no issues;
  • Wi-Fi and Bluetooth configurations were solid.”

“In short, we’ve thrown the tool bag at it, and nothing bad happened.”

2015 did bring some cheer along these lines with the Tesla hack, where the developers were praised for the care taken in their security design.

Will I see my desired headline before Christmas 2016?
If you know of any such headline, please do let us know!

Please join the discussion, we welcome your views...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: