Reverse-engineering a connected Furby toy, revealing its disturbing security defects


Originally published at:


“Well, looks like either your Furby has been hacked, or it’s demonic possession.”


hah, that’s nothing - I once bought a magwai as a Christmas present and the security issues with that thing - wooo boy.


The XLS (“eXecution List”) section, though quite important-sounding, was probably also going to be quite complex.

I like the fact that the new Furby has a specific execution list, rather than the previous model’s behavior of just killing people at random.


Cory’s post misrepresents what the reverse-engineering article demonstrates.

The Furby Connect does not connect to your home network nor the Internet, and it does not have a microphone nor does it have a camera. The Furby connects to your smartphone via Bluetooth; your smartphone does connect to the Internet and your home network, but that is not what is compromised. The article does not establish any way for the Furby to be used for surveillance. It only shows that the Bluetooth connection allows anyone to upload their own firmware and DLC to the Furby, allowing you to have fun by customizing the Furby’s audio playback, video playback, and motor functions. There are no A/V sensors on the Furby, therefore it can’t be used for surveillance! It does not connect to your network, therefore it cannot monitor your network activity. There are some sensors on the Furby, but the worst thing you can learn from them is when the Furby is being played with. And in order to do that, you have to be close enough to the Furby to connect to it via Bluetooth, which means you are already close enough to know whether it is being played with.

It really isn’t. The security flaws cannot be leveraged to seriously invade anyone’s privacy. They also cannot be leveraged to compromise other devices. Really, the most extreme thing you can do with this is hack a Furby to play the audio from hardcore pornography while showing some disturbing animation on the Furby’s eyes. I guess you could maybe upload some audio to brainwash a child to join your cult or something like that. But no serious surveillance possibilities. That’s why Hasbro’s response was so “meh.” These flaws are really not a big deal, and they don’t pose a real threat to children’s (or anyone’s) privacy or security.


Hush now. You’ll give someone the idea of “synergizing” the terminator franchise and some kid-friendly thing, like Furby, Teletubies, or Cabbage-patch kids.

Coming soon in 2019, Produced by Michael Bay…


Furby? I’m part furby.


Bluetooth LE isn’t inherently shorter range than older Bluetooth and that can be extended quite a ways. 10 meters is just the guaranteed indoor range between two devices with crummy PCB or chip antennas.

This isn’t a particularly great antenna, but it should extend the distance well outside baseball bat retaliation range:

Playing sounds is only the low hanging fruit. If the firmware can be changed, then anything on the Furby is up for grabs with enough effort.

These sounds might be better:


There must be an error somewhere, that’s just not possible.


Cory . . . exaggerating and mis-representing? I’m shocked!




The what?


I think it’s a typo for “won’t fix”.


Ah, thank you. That makes sense.


Hi All – somewhat off-topic, but y’all did something to your site layout that regularly and predictably causes Chrome to crash when trying to load your pages. Some text shows up, a few page layouts jiggle through as images / videos / ads load, and then … “oh snap”.

Happens on every article page, consistently enough that I’ve given up trying to read anything. Chrome 62.0.3202.70 on iPad OS 10.3.3.


The first generation Furby - which wasn’t connected - was considered a security risk. Several organisations banned it from sensitive areas. IIRC, the CIA was one of them.


I thought it was maybe a reference to some sort of alternative use for a vibrating Furby.


This is true, but it was based on unfound rumors (which the US intelligence community sometimes acts on, e.g. WMD’s in Iraq).

From Mental Floss:

According to the Furby wikipedia article, “the ban was eventually withdrawn.” (However, that tidbit needs a citation.)

Apparently people also thought the original Furby could do even crazier things, like interfere with medical devices, launch the space shuttle, and sing Italian operas.

The NSA’s ban on the original Furby isn’t actually evidence that they are a security risk. It is evidence that people still become paranoid about harmless things, without making any effort to understand those things.


Why bother with basic security when you have a hammer called the DCMA. Sincerely Hasbro


This topic was automatically closed after 5 days. New replies are no longer allowed.