Page 39 - Cyber Warnings
P. 39
Vulnerabilities Found
During our investigation we analyzed the memory dump, reverse engineered the firmware and
Android application, observed network traffic, and analyzed the security of ToyTalk’s web
applications and services.
Through these methods we were able to intercept encrypted communication from the mobile
application, trick the mobile application and web application into leaking data, and communicate
with ToyTalk servers, masquerading as either Barbie or the mobile application. Minor security
weaknesses were found in the device, while larger and more impactful vulnerabilities were
found in ToyTalk’s web applications and web services.
The nastiest vulnerability allows an attacker to enumerate account usernames and brute force
their passwords with unlimited retries, without triggering any form of account lockout. There was
also a weak password policy in place making this an even more viable attack vector.
Additional vulnerabilities include the ToyTalk website issuing password reset requests over
HTTP that do not expire, pages vulnerable to Stored Cross-Site Scripting (XSS) and session
cookies that did not expire. Throughout the analysis, 14 vulnerabilities were discovered. Further
details on our security analysis and the vulnerabilities can be found in our full write up.
System Architecture
Some may remember the articles about the
My Friend Cayla doll hack that could force it
to say curse words and other colorful things.
This was made possible due to poor design
decisions.
That doll was a simple device acting as a
Bluetooth headset that could pair with any
mobile device without authentication. It relied
heavily upon the mobile application, which
acted as the core of the product, handling all
querying of questions and responses.
What researchers tried to illustrate was that if
a Cayla doll could accidentally lose
connection and pair with an attacker’s device that the attacker could listen to what the doll
records and control what it says.
This is not the same case with Hello Barbie. Barbie is built upon hardware specifically designed
for IoT, and its architecture is comparable to that of other IoT services like Amazon AWS IoT.
The system has three possible clients that interface with each other and the cloud.
The doll uses WiFi, in-place of Bluetooth. Pairing with the mobile application is much more
involved and is only used to associate Barbie with a WiFi access point and ToyTalk account.
39 Cyber Warnings E-Magazine – February 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
