[You’ll probably see advertisements inserted by WordPress into this article. I don’t choose them or approve them – in fact, I don’t normally see them – but they’re the price I pay for not being able to afford (at present) to pay for all my blogs.]
In January 2024, Snopes published an article ’90s Throwback: When Furbys Caused National Security Fears that indicates that they were unable to access some of the documentation referred to in the article, so categorized it as ‘research in progress’. I have no idea whether there’s a connection in the timing, but in February 2024 Bruce Schneier reported that NSA documents had been released following a Freedom of Information Act request: Documents about the NSA’s Banning of Furby Toys in the 1990s. This prompted me to dig out an article I wrote for Kevin Townsend’s IT Security UK blog site around 2012. This was a site where researchers were encouraged to post content independently of establishment vendors, and some highly-respected researchers posted some excellent content there. Unfortunately, the site was subject to repeated attacks and is no longer available, though Kevin himself is still writing quality content for other sites.
I’m not saying that the following is excellent comment (or indeed that I was highly respected), but I still rather like it. It’s very lightly edited.
Somehow, the Furby, a furry toy vaguely resembling a Mogwai (the cuddly pre-Gremlin version in Joe Dante’s films, rather than the demons of Chinese tradition1) has always invited a certain amount of paranoia, fuelled by (or perhaps fuelling) the interest of the hacking community.
As well as a fairly dumb and long gone discussion on the newsgroup alt.comp.virus about its potential as a virus vector, the details of which now escape me, it was the subject of a ban of sorts on airlines. More precisely, the Federal Aviation Authority recommended that ‘Furbys should not be on when the plane is below 10,000 feet’, and many airlines went as far as requiring passengers ‘to remove the batteries from their Furby dolls so that the electronic gizmos don’t interfere with navigational systems during takeoff and landing. This was as a result of the device’s being classified in the same group as electronic devices such as laptops, cellphones, electronic games, and personal music devices.
‘Personal stereos’ at that point probably meant portable cassette and CD players rather than iPods and other mobile devices, of which modern versions certainly qualify as full-blown computers with communication capabilities that were still seen as somewhat futuristic around the turn of the century. So perhaps it’s not surprising that airlines continue to extend bans and restrictions to more or less anything that could be described as electronic. Better safe than splattered, I suppose, however unlikely it is that any dire consequences might ensure. I certainly know people who have found that their phone had switched itself back on during a flight without any impact (so to speak) on their safe travel and arrival. Yes, one of them would be me… No statistics seem to be available on how many successful pocket calls have been made from 30,000 feet, however.
In 2002 I wrote in a paper for EICAR:
Furbys were recently banned in ‘spy centres’ because they’re believed to be a possible source of information leakage. Apparently security chiefs believed that they learned phrases spoken around them and that they might therefore repeat secret information, making them a security risk. My daughter and I have spent many happy hours trying to persuade her furby to say “My hovercraft is full of eels”, preferably in a Ukrainian accent, but have so far failed miserably. Neither the accompanying instruction manual nor http://www.furby.com seem to be aware of this splendid ability, but perhaps it’s undocumented, like the opcode which is supposed to enable a malicious hacker to burn out a Pentium motherboard.
This particular ban seems to have been based on the widely-held belief that Furby’s learn to speak English rather than their ‘native’ Furbish (yes, I know…) in much the same way that humans are assumed to learn, by repeating what is said to them. Which may or may not be what Tiger Electronics initially wanted its young customers to believe: in any case, the product description for the Furby Boom still tells them to ‘Talk to your Furby and interact with it to teach it English and shape its personality’.
However, when the story broke, its executives went out of their way to point out that Furbys had no recording mechanism. As for the learning process, it appears that the ‘learning mechanism’ and repetition of speech was based on reinforcement of uttering pre-programmed phrases, not learning through mimicry. Apparently, petting the toy when it spoke encouraged it to repeat the phrase more often, but the only thing it was learning was the listening preferences of its owner. It is apparently designed to introduce more pre-programmed English phrases over time in order to reinforce the false impression that it is actually learning English. In any case, it appears that the NSA rescinded its ban. I’m not sure if it carried out any investigation into the reading ability and gullibility levels of its own executives, or into whether NSA-employed Furby owners were offered alternative stress alleviation strategies.
So what about the ‘hacking’ aspect? Mostly, this is concerned with hacking in its old-fashioned, non-pejorative/non-malicious sense, in particular with manipulating the toy’s audio and sensory inputs for circuit bending, specifically (in this case) to generate audio effects. However, an article from December 2013 by Michael Coppola – Reverse Engineering a Furby – demonstrates a wider interest, specifically in the inter-device protocol used by recent models, and pointed to earlier research on the events it understands.
In spite of Coppola’s invocation of the dreaded #badBIOS, inspired by the use of an audio protocol that encodes data into bursts of high-pitch frequencies for communication between the Furby and an iOS mobile app (or with other Furbys) that brings to mind Dragos Ruiu’s claims – not universally accepted – of the existence of malware that (among other things) communicates between infected devices using ultrahigh speaker frequencies, I’m not seeing a malware-friendly supertool here, though the articles concerned are actually fascinating, in a nerdish sort of way. However, that didn’t stop Coppola’s research being cited as having discovered ‘ vulnerabilities in the way the toy communicates with other Furby toys and its mobile app’ in an article sensationally entitled Valasek: Today’s Furby Bug is Tomorrow’s SCADA Vulnerability.
I wasn’t at the Security of Things event where Valasek talked about Coppola’s work, of course, but what he actually said turns out to be a little less sensational.
‘…low-impact research cannot be dismissed either. Not every IOT vulnerability is going to be high impact. You have to judge how technology that might be vulnerable today will be used in the future.’
Nor was I at the events in 2014 where Coppola apparently talked about a ‘delicious 0-day’, but I presume that it was interesting but, as Valasek puts it, low impact. A lot of effort involving various highly corrosive acids and an electronic microscope doesn’t seem to have uncovered all of Furby’s furry little secrets. Moving from what may be known to the next big thing in SCADA hype may be premature, even if it does result in another Establishment panic attack at some point.
My daughter moved on from Furby and Tamagotchi quite a few years ago, but if I found one of my grandchildren with one, I don’t think I’d be ripping it out of his or her hands and looking for the nearest junkyard with a car crusher just yet. And while I’m not about to underplay the risks to national infrastructure [originally a link to a presentation to Infosec on behalf of ESET which has vanished from ESET’s servers], it’s all too easy for speculation to spill over into fantasy. [A link to a blog for ESET which is still there: re-reading it definitely gave me pleasure, as cheap sarcasm often does.]
David Harley
1The mythological basis of the Dante films is quite interesting in itself: the cuddly Mogwai share a name with demons that have a great deal in common behaviourally with the vengeful spirits of Chinese tradition. Even their methods of reproduction and mutation bear some resemblance. The name Gremlin seems to have originated in RAF slang of the 1920s (or possibly earlier), used to describe creatures deemed responsible for ‘inexplicable’ mechanical failures, the term passing into wider currency through a book by Roald Dahl.
The AVIEN Portal 