Saturday, November 7, 2015

Hacking Furby's Android-app for fun (and profit?)

So yes, this story is about Furby, that little hairy creature that never stop talking and always want you to keep feeding it and play with it all the time. A sort of a modern Tamagotchi.
But why an InfoSec geek like me would wanna write about Furby anyway? Apparently, besides of Furby being a really annoying toy, it's also a very interesting piece of technology! and today's Furbies are more technologically advanced than ever.
In fact, according to Wikipedia, Furby even caused some serious security concerns among intelligence agencies such as the NSA (National Security Agency) since this unique toy comes with several sensors such as Infra-red and a microphone that might possibly cause a leak of highly classified information.

Considering the fact that Furby is intended to be used by 6+ years old kids, this toy is extremely sophisticated in means of the variety of functions it can handle and the different situations it can react to.
Since 1998, when Furby was initially released by Tiger Electronics (these days owned by Hasbro), it underwent several changes while each version technologically outdid its predecessor.
The 2005's Emoto-Tronic Furby, for example, supported voice-recognition and added more complex facial movements, and in the holiday season of 2012 Hasbro released a new Furby with more expressive LCD eyes, a wider range of motions, its own iOS and Android app, and the ability to adapt personality in reaction to user behavior.
Furby's latest version was released in the summer of 2013 and featured a brand new iOS and Android app, called Furby BOOM, with many new features.
The way Furby communicates with those new mobile apps is by basically encoding data into bursts high-pitch frequencies that most of us can't hear (but your dog may, probably) and sending them to the air using a regular speaker. The same technique is done on the mobile devices to receive and send commands to the Furby itself. This technique eliminate any need for modern transmitter/receiver equipment like WiFi/Bluetooth etc…


But wait a minute, I got so far talking about Furby's history, and not yet even explained how I found myself trying to hack into Furby's app in the first place!
So to be honest, my ex-girlfriend was really bagging to get this ugly pink polka-dots Furby for her birthday and I didn't want to dissapoint her, so I checked out Amazon and ordered one right away.

For a whole week I had to hear this intolerable creature making stupid noises, until one day I decided to let my hacker's mind free and started looking for ways I can manipulate this toy to do something more useful than just ask for food and make irritating noises all day. Soon enough I found some extremely interesting reverse-engineering and hacking articles that were previously written about it: here, here, here and here.
But then I realized I would have to ruin brand new toy to actually be able to do anything like that, so I had no choice but to give up on this idea.

Few days later my ex-girlfriend came to me and told me there's a specific section within the Furby BOOM app that she cannot understand how to get through. I quickly looked at it and noticed this section is a "promo section".
Apperently, besides of taking care for the Furby, the Furby BOOM app has some side-games aimed to keep the players busy. One of those games asks the user to "hatch" eggs. There are all kinds of ways to hatch an egg, but some eggs can only be obtained in special ways – for examples those eggs in the promo section.

To get promo eggs the user will have to first find and then scan a QR code that is unique to a specific promo egg. Those QR codes can be found on several places, some appear on Hasbro's website, some at other partner's websites like "Stardoll", and some require the user to actually buy his Furby from a specific store like "Target", "Amazon" or even from country-specific retailers like "Mighty Ape" in New-Zealand. There are twelve special eggs in total that can be obtained by twelve different QR codes, and in reality it should be impossible to obtain all twelve eggs together.


Any clever player would first try to google for those QR codes, and would easily find some of them on pages like this one. But after digging the web, I was able to find only ten unique QR codes, or maybe eleven, but not the whole twelve. So I was thinking, what can I do to find all of them?


The analysis

Let's first take a look at one QR code.
After decoding the QR code we get a pretty interesting text, a URL to be more accurate:http://www.hasbro.com/furby/eggs/PDFIH
Accessing this URL from a PC browser would return a 404 Not Found error message. But if we would try to access the same page from a mobile device (or just change our User-Agent), we would be transferred to download the Furby BOOM app from the App store. Interesting fact, but it doesn't really lead us anywhere.
Trying to decode another QR code reveals another URL: http://www.hasbro.com/furby/eggs/MOSDV
And a third one: http://www.hasbro.com/furby/eggs/SKJWW

At this point we can already see a clear pattern for the QR codes that starts with a URL to Hasbro's website and ends with 5 chars long alphabetic string. Where can we find the rest you ask? Inside the Furby BOOM's app of course!

Taking a first look at the app's decompiled code might cause a code phobia to some of you, but we are not here to reverse engineer the whole Furby BOOM's app, we are just looking for a way to get past the promo section. One way would be to patch the app once we find that interesting section, but a simpler way would be to look for one or two of the unique codes we already know within the app's code/resources and hopefully find the rest of the codes next to them, that would be an educated guess.


A quick look at the decompiled code revealed that the app makes a use of many different library functions, but doesn't consist a lot of its own unique Java code, and within that code not even one occurrence of the alphabetic codes we are looking for.
Diving deeper into the code revealed a section written in Java that takes care of loading JNI (or Java Native Interface) in the form of .so file (a shared object, dynamically linked library, or just DLL).
Looking at the assets folder, under bin/data/ path, exposed the interesting DLLs, but what can we do with binary files like these? The answer is very simple, we can do whatever we do with any other binary file! That means we can debug the code with a debugger, or we could disassemble it with a disassembler, like IDA Pro for example.
In addition to those files we can see another list of files called sharedassets0.assets.splitXX numbered from 0 to 9. All of those represent a single Unity asset file spitted into 1 MB files.
Unity asset file consists of all kind of resources like Textures, Animations, Shaders, MonoScripts (C#, JavaScript and Boo code) and others. We can easily extracts those resources using a software like "Unity Assets Explorer".
Once we extract those we can use a grep command to search for our unique alphabetic string, and soon enough we find it in one of the resources, prefixed to a string "PROMO_EGG_XXXXX" (the X's represent the codes).
With this information we can just look for all other occurrences of the same string, and indeed it revealed to us all possible promo codes!

All left to do now is to convert each code back to its URL format, generate a QR code out of these URLs, and scan each QR code through the Furby BOOM app.

Below you can find all of the QR codes:

BNSJZ KPEFG MHKLA MOSDV OKOHW
PDFIH PPAJS QERSZ QKDIW SKJWW
TSHOE ZFTRE

Closing words

There are probably plenty of different ways we could take to achieve our goal, and probably even better useful things we could investigate if we really wanted to hack the Furby or its mobile app, but I decided to stick with my goal and do it in a fast'n'dirty way. Bottom line - it worked! So I was pleased with the result, and this is to prove that not everything must be done from top to bottom every time.