New Blog: Hacking Unicorns with Bluetooth
In one of our public research projects we found vulnerabilities in a Bluetooth CloudPets Unicorn toy that allowed us to take control of the toy’s voice recording functionality. The CloudPets range of cuddly toys uses Bluetooth Low Energy (LE) to communicate with a smartphone app, allowing parents to record an audio message on their phone and then send it to their child’s toy via Bluetooth LE and vice versa.
We were able to connect to the CloudPets toy via Bluetooth LE, upload a recording that they had made and make the toy playback the recording. We were also able to trigger the toy’s recording functionality and retrieve and play back audio it had recorded, effectively turning the toy into a remote surveillance device. Bluetooth LE has a range of about 10-30 metres, so anyone standing outside a house that has the toy could easily connect to a toy inside it.
“Whilst the purpose of this project was to have some fun hacking a Bluetooth Unicorn and look at how BLE is used in real world projects, the security implications are also important to note,” said Paul Stone, Principal Researcher at Context. “The toy does not use any built-in Bluetooth security features such as pairing that would have enabled some authentication between device and phone. In our experience many Bluetooth LE devices intended for use with smartphones don’t bother with pairing in order to simplify user experience. In the meantime, if you own one of these toys, or any other IoT or connected toy, I would recommend keeping it turned off whilst it’s not in use.”
This blog follows the revelation this week by another researcher that Spiral Toys, the maker of CloudPets, exposed more than 2 million voice recordings of children and parents, as well as email addresses and passwords for more than 800,000 accounts. The recordings and data were stored in a publicly accessible database that wasn't protected by a password or placed behind a firewall.