Vulnerabilities in a toy robot permitting snooping. Seriously

Kaspersky experts recently studied the security of a popular toy robot model, finding major issues that allowed malicious actors to make a video call to any such robot, hijack the parental account, or, potentially, even upload modified firmware. Read on for the details.

What a toy robot can do

The toy robot model that we studied is a kind of hybrid between a smartphone/tablet and a smart-speaker on wheels that enables it to move about. The robot has no limbs, so rolling around the house is its only option to physically interact with its environment.

The robot’s centerpiece is a large touchscreen that can display a control UI, interactive learning apps for kids, and a lively, detailed animated cartoon-like face. Its facial expressions change with context: to their credit the developers did a great job on the robot’s personality.

You can control the robot with voice commands, but some of its features don’t support these, so sometimes you have to catch the robot and poke its face the built-in screen.

In addition to a built-in microphone and a rather loud speaker, the robot has a wide-angle camera placed just above the screen. A key feature touted by the vendor is parents’ ability to video-call their kids right through the robot.

On the front face, about halfway between the screen and the wheels, is an extra optical-object-recognition sensor that helps the robot avoid collisions. Obstacle recognition being totally independent of the main camera, the developers very usefully added a physical shutter that completely covers the latter.

So, if you’re concerned that someone might be peeping at you and/or your child through that camera — sadly not without reason as we’ll learn later — you can simply close the shutter. And in case you’re worried that someone might be eavesdropping on you through the built-in microphone, you can just turn off the robot (and judging by the time it takes to boot back up, this is an honest-to-goodness shutdown — not a sleep mode).

As you’d expect, an app for controlling and monitoring the toy is available for parents to use. And, as you must have guessed by now, it’s all connected to the internet and employs a bunch of cloud services under the hood. If you’re interested in the technical details, you can find these in the full version of the security research, which we’ve published on Securelist.

As usual, the more complex the system — the more likely it is to have security holes, which someone might try to exploit to do something unsavory. And here we’ve reached the key point of this post: after studying the robot closely, we found several serious vulnerabilities.

Unauthorized video calling

The first thing we found during our research was that malicious actors could make video calls to any robot of this kind. The vendor’s server issued video session tokens to anyone who had both the robot ID and the parent ID. The robot’s ID wasn’t hard to brute-force: every toy had a nine-character ID similar to the serial number printed on its body, with the first two characters being the same for every unit. And the parent’s ID could be obtained by sending a request with the robot ID to the manufacturer’s server without any authentication.

Thus, a malicious actor who wanted to call a random child could either try to guess a specific robot’s ID, or play a chat-roulette game by calling random IDs.

Complete parental account hijack

It doesn’t end there. The gullible system let anyone with a robot ID retrieve lots of personal information from the server: IP address, country of residence, kid’s name, gender, age — along with details of the parental account: parent’s email address, phone number, and the code that links the parental app to the robot.

This, in turn, opened the door for a far more hazardous attack: complete parental-account hijack. A malicious actor would only have needed to have taken a few simple steps:

• The first one would have been to log in to the parental account from their own device by using the email address or phone number obtained previously. Authorization required submitting a six-digit one-time code, but login attempts were unlimited so trivial brute-forcing would have done the trick.
• It would only have taken one click to unlink the robot from the true parental account.
• Next would have been linking it to the attacker’s account. Account verification relied on the linking-code mentioned above, and the server would send it to all comers.

A successful attack would have resulted in the parents losing all access to the robot, and recovering it would have required contacting tech support. Even then, the attacker could still have repeated the whole process again, because all they needed was the robot ID, which remained unchanged.

Uploading modified firmware

Finally, as we studied the way that the robot’s various systems functioned, we discovered security issues with the software update process. Update packages came without a digital signature, and the robot installed a specially formatted update archive received from the vendor’s server without running any verifications first.

This opened possibilities for attacking the update server, replacing the archive with a modified one, and uploading malicious firmware that let the attacker execute arbitrary commands with superuser permissions on all robots. In theory, the attackers would then have been able to assume control over the robot’s movements, use the built-in cameras and microphones for spying, make calls to robots, and so on.

How to stay safe

This tale has a happy ending, though. We informed the toy’s developers about the issues we’d discovered, and they took steps to fix them. The vulnerabilities described above have all been fixed.

In closing, here are a few tips on staying safe while using various smart gadgets:

• Remember that all kinds of smart devices — even toys — are typically highly complex digital systems whose developers often fail to ensure secure and reliable storage of user data.
• As you shop for a device, be sure to closely read user feedback and reviews and, ideally, any security reports if you can find them.
• Keep in mind that the mere discovery of vulnerabilities in a device doesn’t make it inferior: issues can be found anywhere. What you need to look for is the vendor’s response: it’s a good sign if any issues have been fixed. It’s not a good thing if the vendor appears not to care.
• To avoid being spied or eavesdropped on by your smart devices, turn them off when you’re not using them, and shutter or tape over the camera.
• Finally, it goes without saying that you should protect all your family members’ devices with a reliable security solution. A toy-robot hack is admittedly an exotic threat — but the likelihood of encountering other types of online threats is still very high these days.