Internet of Dolls: See you later, Barbie.

In a recent episode of CSI: Cyber baby monitoring cameras had malware inserted into their firmware to allow criminals to spy on babies in their cribs. The crooks and kidnappers kept track of routines and schedules in order to find the best time abduct a child.

On CSI:Cyber, television kidnappers hack baby camera firmware to spy on children.

While baby cameras are intended for the purpose of monitoring your child, that's not the case with a new Barbie doll from Mattel set to debut in the upcoming Christmas season. The Hello Barbie is capable of carrying out conversations with your child on a similar basis to Siri or Cortana on your phone. Where the phone AIs are there to follow your commands or search the web, Hello Barbie will speak with your child and learn from their responses. Like Siri, the wifi enabled doll sends back the child's responses to it's creator's servers( SF-based ToyTalk) so that it can better answer the child.

The Hello Barbie, waiting to have a chat with your kids.

"Furbies are listening to everything!"
Sixteen years ago in 1999, the National Security Agency(NSA) banned Hasbro's Furbies from their premises. This was due to the little toys having the ability to listen and "learn" new phrases. The toys had  limited English vocabulary and smaller vocabulary of words in their own language, Furbish. Instead of learning like a parrot, further English words were unlocked slowly until the Furby spoke mostly English with a few Furbish phrases. The NSA was being cautious as Furbies were brand new and produced in factories in China, where it's possible that foreign spies could insert radio chips into the toys.

An original 90's Furby. They (probably)weren't spying on your kids.
Credit: @blamethecrane http://www.flickr.com/people/66376272@N07/

These original Furbies were not network connected. Furbies have been reverse engineered to see how they function and how to repair them, but no special radio chips were found inside to allow criminals and spies to listen in on private conversations.

Today the same can't be definitively said of modern Furby Booms with their own iPhone and Android apps.  One can feed them when they're hungry, play games with them on your iPad, give them "medical" check ups when they get "ill". These additional functions just need a compatible mobile app.

An attacker looking to control a modern Furby has much of the hard work done. Like the original Furbies, the new ones have also been reverse engineered to see how they function and/or to modify their behavior. Researchers have even decompiled and analyzed the Android app to work out the communication API. Unlike Hello Barbie, even a modern Furby doesn't have the hardware to send anything children say over the Internet.

Shhhh... Hello Barbie is around
There has been talk about not inviting Hello Barbie into our homes; not allowing her to speak with our kids. The arguments have been that it's like bringing an open microphone into your children's bedrooms, or in some cases even worse, inviting marketers.

Hello Barbie has only been seen in demos so far and she won't be available for purchase for months. Is she secretly listening? Maybe not, it looks like she has an indicator light and plays a tone when she hears you speak.

Her creators say that she will learn from speaking with your child. She's already got an advantage on the Furby. Having a built-in microphone and the ability to send audio to a speech recognition backend lets her respond more like a real person.

A Hello Barbie is able to communicate over the Internet. Does it have it's own account like the power meter on the side of your house? Or like late model cars? No, but it does talk back to the its creators in a similar fashion that the power meter communicates to the Utility.

Hello Barbie beats the Furbies by actually talking to a child, remembering and responding to a child. This makes for a very social toy. Powered by Mattel's partner ToyTalk, who specialize in speech recognition.

The folks behind Hello Barbie's people skills

ToyTalk is a company founded by ex-Pixar people that specializes in creating apps for children that encourage communication. They create technology for speech recognition, specialized for children instead of adults. The company makes a line of mobile games and interactive stories. 

Some of the iOS games made by ToyTalk. Kids can play along and chat with game characters.

Their backend technology is driving the Hello Barbie's ability to learn and understand when talking to a child.

As the games ToyTalk produce are frontends that encourage children to speak with characters, there is some care to ensure that parental consent is acquired. If you let your kid play the games, you need to sign up for an account with your email and agree to let ToyTalk analyze your kid's conversations. Since you would then have an account, the company can give you access and control over your kids recordings. If you don't sign up for an account, your kids can still play but the conversation portions of the game are not active.

In the case of Hello Barbie, the doll will likely be inactive until parents activate their own accounts and enabling conversation mode. That would still leave your child with a Barbie, albeit an expensive one.

Threats to our toys: are our children safe?

• Should we be worrying that criminals will hijack our children's Barbies in order to convince them to run away or follow that stranger? 
• No. Expect that to be the plot of a future episode of CSI:Cyber or Scorpion.
• Will they attack our apps?
• Almost certainly. 
• Will they attack our children's apps?
• Possibly. Criminals, especially computer criminals tend to look for a profit. It's more likely they'll try to steal financial information(e.g. overheard credit card numbers) at the kitchen table rather than the name of your kid's best friend.
• Will criminals use modified firmware to create a botnet of Hello Barbies to steal the money from all of our Apple Pay accounts?
• No. Also more likely a plot for CSI:Cyber.

We are all still safe until Hello Barbie is finally released. When that happens mobile apps will then be available for download by the world at large, including computer criminals. They will finally be able to reverse engineer them, looking for vulnerabilities to exploit.  As with the Furby, more features will give more for children to play with but they'll also give more to crooks.

Smart Luggage Locks: Are we ready for them?

When you travel by air a lot you tend to get efficient about packing your bags(like George Clooney in 'Up in the Air'). Due to efficiency(or other reasons), locking your bags tends to fall by the wayside. If I could simply wave my phone over my bag in order to unlock it, that would definitely save me time. eGeeTouch believes they have the solution, smart luggage locks. Like what the folks behind the Noke padlock are doing, eGeeTouch is providing a way to carry the keys to your bags everywhere,

Roughly the size of the average luggage lock the eGeeTouch
smart luggage lock means you'll never forget your key. 

Smart NFC-enabled luggage locks
The eGeeTouch locks are different from older locks in that they don't use keys(other than the TSA master keys) or combination wheels. I've forgotten my combinations and lost or misplaced a key before so I've definitely have an interest in these locks. eGeeTouch promises the ease of key management and easy unlocking through a mobile app. Even without a phone that supports NFC(Near Field Communication, like in touch and pay credit cards ), eGeeTouch also provides separate programmable NFC tags.

Near Field Communications lets you pay for things by waving your
phone. Now you'll be able to unlock your bags too.
Credit: Steven Walling

The locks themselves will have a suggested cost between $20-30 a piece. Larger licensing deals may reduce the cost for the end user. At the moment they're about 3x the price of a non-smart lock.  When they're eventually licensed by baggage manufacturers the cost will be included in the price of your new luggage.

The most expensive Smartphones now include NFC support(for use with Google Wallet or Apple Pay), though the average Smartphone is not excluded. The programmable NFC tags can be registered as a keys for your lock using the eGeeTouch Access Manager app.

Attacker's eye view of the eGeeTouch lock
The eGeeTouch locks do look quite interesting, but it's likely attackers will find new ways to access your property.

The Lock Manager app includes a number of functions:
managing password, making a backup, and managing tags.

Although some of that functionality is currently unimplemented.

There are a number of ways to attack a smart lock or access what it protects:

Physical
1) Cloning smart tags/"keys"
2) TSA approved keyway
3) Zipper tricks

Technological
1) Exploit lost key replacement protocol
2) Extract key from phone app

Physically cloning the NFC smart tags(i.e. the keys) with a tag reader/writer would be the "Hollywood" method. Technically a perfect copy, but requiring an attacker to expend more resources(people, hardware/software, time, money) than the value of whatever is stored in most people's luggage.

Attackers may go after the next most complex physical defense, the TSA bypass lock.  The seminal report on TSA compatible locks by security and lock expert Marc Weber Tobias covers the issues quite well. Although legitimate TSA master keys are inventory controlled, restricted, and secured at the end of shifts, it is still possible to create keys or decode combinations. Tobias' report shows how it's possible to pick or bypass luggage locks through the TSA approved keyway. The cost and preparation time may also be too much for the average attacker.

Zippers rather than locks seem to be the real weak point when looking at physical attacks. There are numerous videos on YouTube that show how one can easily open and re-seal the zipper on your bag with a common ballpoint pen.  If an attacker is in more destructive mood they could also simply slice into the bag with a knife.

Given the cost and relative difficulty of physical attacks, it can be easier to use the low hanging fruit of mobile apps.  Currently the eGeeTouch Manager App is available on the app markets. Per the eGeeTouch FAQ if one loses their phone, one can simply install the Manager App on their new phone and replace/reload a new code on their locks. The attacker would need to disassemble/decompile the app in order to figure out how the keys are managed and how to clone or insert their own.

A slightly easier method is to locate how/where the keys are stored on disk. The attacker would just need to gain access to the password file, decode the stored keys, and exfiltrate them to the attackers server. This attack would be most successful on a rooted device, allowing access to the password file. A plausible attack would have an optional root exploit, knowledge of key storage(e.g. filepaths), and a method to exfiltrate the data.

Smart Luggage Locks: What can go wrong?
Smart Luggage Locks can be attacked. Does that make them insecure? Not necessarily. Attackers face a tradeoff between cost(money + risk) and acquired information or goods(revenue - cost). Since I'm not carrying the formula for Coca-Cola in my luggage it might not be worth the risk for attackers to take on the TSA or other law enforcement just to bypass my Smart locks. For the regular traveller that also doesn't carry state/trade secrets, high end electronics or fancy jewelry the locks may be enough to discourage the casual pilferer.

---

[1] Once I managed to leave the key in my luggage as I closed the lock. This led to some fiddling with a butter knife and damage to the zippers on my bag. These are the dangers of forgetting where one placed the key.