First, it was concerns about the Internet-connected “Hello Barbie.” Then, toy-maker VTech had data stolen on 4.5 million adults and more than 200,000 kids. Next, it was 3.3 million customers exposed in the Hello Kitty hack. Now, another toy is turning out to have security problems. As toys get smarter, they’re pushing toy manufacturers into the unfamiliar area of security. After all, you can’t hack classics like Lego or Lincoln Logs.
The latest offering to feel the heat from security researches is BB-8, the adorable spherical droid from the newest Star Wars movie. The toy version, made by Sphero, can move around on its own and respond to commands from a smartphone app. It looks like a lot of fun in action; however, the app has a problem.
Researchers at Pen Test Partners found that BB-8’s app doesn’t secure its connection to the Internet. If the app requests a firmware update, a hacker within Wi-Fi range monitoring the connection could snag the real update and deliver their own to the toy.
The researchers do admit that this is highly unlikely. And even if a hacker did this, there’s no personal information on the droid to steal, and it doesn’t have a camera or microphone. The most a hacker could do would be to give BB-8 self-destructive behavior or replace its audio files with swear words.
Still, the researchers are using this as an example of the need for toy manufacturers, or any manufacturer working with “smart” gadgets, to get serious about security. With Internet of Things gadgets likely on the rise in 2016, you don’t want to be inviting security problems into your home.
Fortunately, manufacturers are starting to get the message. Samsung’s new line of TVs will have strong built-in security, and third parties are starting to make gadgets that monitor any gadgets connected to a network to spot problems.