When Context Labs teamed up with UK consumer group Which? to produce an outstanding report on the surveillance, privacy and security risks of kids' "connected toys," it undertook the reverse-engineering of Hasbro's new Furby Connect, a device that works with a mobile app to listen and watch the people around it and interact with them.
Naturally, any internet-connected device has the power to spy on your home network, and once you give that device a camera and microphone, it also has the power to spy on the people in your home, capturing audio and video of them at intimate moments, stealing their secrets and invading their privacy.
So you'd hope that the Furby Connect would have a very robust security model that prevented bad actors from covertly updating the device to turn it into a surveillance tool. Unfortunately, as Context discovered, "the security situation was bad."
From the Bluetooth LE channel used by the device to talk to your phone (encryption turned off!) to the ability to conduct over-the-air firmware updates, to the lack of firmware update authentication, the device is a near-total disaster (though the researchers do say they find the design "frankly adorable").
More disturbing is Hasbro's dismissive response, which boiled down to, "We don't think this is a big deal so we're not going to do anything about it #wontfit."
The Context Labs report on the subsequent reverse-engineering of the protocols, format and firmware for the Furby Connect is an excellent example of the technological detective story, in which engineers have match their intellect against those who came before them and unravel their secrets — the sort of thing that makes Bunnie Huang's book The Hardware Hacker such an essential read.
Rather than just continuing sequentially through the file, we could now focus on specific sections of interest. The XLS ("eXecution List") section, though quite important-sounding, was probably also going to be quite complex. A good approach to reversing most things seems to be to start with the simplest parts, then build up to the more sophisticated parts from there, one piece at a time. Following this approach, we chose to leave the XLS section for later, and instead started out on the AMF ("Audio Media Files") section, which turned out to be arranged in the following rather straightforward format:
A four-byte integer, giving the number of audio samples contained in the section.
A sequence of four-byte integers, giving the offset to the start of each audio sample from the beginning of the section.
A sequence of variable-length audio samples encoded with the GeneralPlus A1800 codec.