Hack Turns BB-8 Star Wars Toy to Dark Side

If you've seen Star Wars: The Force Awakens, then you know that the galaxy could have been in very big trouble had BB-8, the oh-so-marketable astromech droid/rolling plot device, fallen into the wrong hands.

In real life, however, the chirpy automaton may be easier to manipulate than his cinematic counterpart. A lifelike BB-8 toy from Sphero lacks secure firmware update protocols, which could theoretically present a target to hackers (albeit a very, very mild one).

The information comes courtesy of Pen Test Partners, a security firm based in Buckingham, England (about 40 miles from Pinewood Studios, where most interior scenes for The Force Awakens were filmed). The company tests all sorts of connected devices, and with a hot new Star Wars movie on the market, testing the tie-in Bluetooth-connected droid toy seemed like a logical move.

As it turns out, it's a good thing that X-Wing pilot Poe Dameron didn't entrust his secret star map to a BB-8 toy, because compromising the toy is not that hard.

MORE: Best Star Wars Gadget Gifts

Ken Munro at Pen Test Partners isolated two huge security flaws with the BB-8 toy. First and foremost, the device does not require a Bluetooth PIN to pair with a phone. (Users control the toy through an Android app.) This means that anyone within the immediate area could run the toy's smartphone controller app, hijack your BB-8 and roll it around, if they so chose. Not disastrous, perhaps, but annoying, certainly.

The bigger problem is with the device's firmware updates. When the toy updates its firmware, it does so via HTTP connection rather than a secured HTTPS one. Since there is no SSL authentication, a skilled hacker could easily hijack the connection and install his or her own firmware. This software could then report back information from BB-8 back to the attacker, or change BB-8's controls so that "stop" means "go," and vice versa.

Here's the rub, though: the Sphero BB-8 doesn't broadcast any useful information. In order to hijack a BB-8 to gather information from a user's phone, an attacker would have to be in the vicinity of a user updating a BB-8's firmware and take advantage of a Bluetooth pairing vulnerability, all at the same time. (There are no known Bluetooth vulnerabilities for Android at the moment, although it's possible that some exist.)

For the time being, you can roll BB-8 around to your heart's content without worrying too much about an attack. But be aware that unless the device implements some better security protocols (which Sphero is currently working on), an errant Sith Lord could take it away with just an Android phone; no mind tricks required.