Hard on the heels of itsdata leak, connected teddy bear outfit CloudPets is under scrutiny, this time for not securing its toys against remote exploitation via the Bluetooth Web API.
The Register has previously carried warnings from security analyst and W3C invited expert Lucasz Olejnik thatmishandling the Web-to-Bluetooth connection is a privacy vulnerability. CloudPets seems to have stumbled right in to that mess.
Context Information Security says it was already looking at CloudPets' use of the API before Troy Hunt went public with news of the company's the data leak, and brought forward its publication in response.
Context IS's conclusion is that security of the Bluetooth Web API implementation in the devices is inadequate.
“When first setting up the toy using the official CloudPets app, you have to press the paw button to 'confirm' the setup. I initially thought this might be some sort of security mechanism, but it turns out this isn't required at all by the toy itself,” author Paul Stone writes.
“Anyone can connect to the toy, as long as it is switched on and not currently connected to anything else. Bluetooth LE typically has a range of about 10 - 30 meters, so someone standing outside your house could easily connect to the toy, upload audio recordings, and receive audio from the microphone.”
Once Stone decoded how the API is implemented in the toy, the steps to turn it into a listening device were simple:Enable notifications for the 'receive audio' characteristic Send 02 to the command characteristic Wait for the 'state' characteristic to change to 07 (audio download) The toy will then send a large number of 16-byte notifications on the 'receive audio' characteristic Wait for the 'state' characteristic to change to 01 (idle) Concatenate the received notifications and decode the audio
Stone's also unimpressed with the toys' firmware handling: “The CloudPets app performs a firmware update when you first set up the toy, and the firmware files are included in the APK. The firmware is not signed or encrypted - it's only validated using a CRC16 checksum. Therefore it would be perfectly possible to remotely modify the toy's firmware”.
Olejnik, who gave last year's warning about the misuse of the API, seems grimly vindicated:
This Web Bluetooth demo is not something any #IoT vendor would ever want to see as a privacy abuse example. https://t.co/1sRYLY36TY pic.twitter.com/WwGJSgwOq9― Lukasz Olejnik (@lukOlejnik) February 28, 2017
Stone has put the code for his bear-busting proof-of-concept on GitHub .