If high-tech gadgets are on your holiday shopping list, it is worth taking a moment to think about the particular risks they may bring. Under the wrong circumstances, even an innocuous gift may introduce unexpected vulnerabilities. In this blog series, VERT will be looking at some of the Internet’s best-selling holiday gifts with an eye toward their possible security implications. Some of the risks discussed in this series may be over the top and even comical while others may highlight realistic problems you may not have considered.
Looking at Remote Controls Cars
When I was a kid, there was nothing cooler than a remote control car. It was the gift I wanted every year, and, over the years, I got a couple. This year, I got a couple more. They use different controllers, but they are essentially the same. I would share the models, but they don’t really have model or manufacturer names. If you search for ‘wifi camera remote control car’ on Amazon, you’ll find dozens of these devices mostly shipping from China.
One of the two cars came with a clip-on camera, while the other is built into the chassis. Based on their WIFI names, we’ll call the clip-on camera H-car and the other L-car for the duration of this review. The H-car has a much cooler trigger controller, while the L-car has the simpler stick controller. Both controllers have a place to clip in your cell phone in order to watch the transmitted video.
When the cars arrived, they were in very different states. The H-car was nicely packaged and ready to go. The L-car came in an open box and looked like it had been used previously. The H-car QR code directed me to the app store on both IOS and Android in order to download the app, while the L-car tried to direct me to a website with no English content. Given the instructions for the L-car looked like they had been shoved in as an afterthought (or maybe when the package was opened), this wasn’t surprising.
In both cases, the cars create their own access points that allow the apps to connect to them and, in the case of the removable camera, the access point appears to be built to work with both cars and drones. In fact, I found several products using the same software. These are, of course, completely open access points that you cannot password protect, which brings us to the first issue.
When these devices are turned on, the WIFI access point (AP) is accessible and completely open. This means that anyone can connect to the device. It also means that anyone can send commands via the apps if they recognize the AP naming scheme. This will allow them to not only control the car, but also watch video streaming from it. This could be a major violation of your privacy. Imagine your child forgets their remote control car on, someone outside your home could now drive this car around and get detailed images of the inside of your home.
I suppose you are probably thinking that they would need to recognize the WIFI name and know the software involved. Since there aren’t that many of these controllers and they are reused across products, it is feasible that home invaders could have all the apps and learn to identify the names. Even if they don’t, these products use the Real Time Streaming Protocol (RTSP) to transmit video. Instead of using the various apps, they could just look for open WIFI access points, connect to them, and check the gateway for an RTSP stream with a tool like VLC. If they are looking to automate this as they drive around a neighborhood, they could even use a Python script to find and download stream data for review later. I found a project online designed to capture the video from one of these devices via Python and the code wasn’t that complex.
That is not, however, the only issue. This one might fall into the sibling prank category, but it could also be used to annoy a neighbor or even for malicious purposes. When you connect to the access point, you control the vehicle. So, via the app, you could drive the car around the house (as mentioned above), but you could do something more dangerous. What if a horrible person takes control of the car as your child is playing outside and drives it into traffic. It’s a disgusting thought, but it’s definitely a reason why I would never give one of the cars to a child. I was actually happy to see that one of the cars (L-car) was labeled 14+.
Beyond that, you don’t even need the app. The device communicates over UDP for app commands, which means that anyone can simply inject data to drive the car. I spent a while mapping the controls and came up with a list of packets that will cause the car to go Forward, Backward, Forward/Left, Forward/Right, Backward/Left, and Backward/Right. I could, in theory, if one of my neighbors in my apartment building got one for Christmas, write a script that simply causes the car to drive in circles. This is why I called it the sibling prank category. I could see a younger version of myself, torturing my little sister by having the car drive in circles every time she tried to use it.
This last issue is less of an issue and more of a concern. I’m not a fan of these USB rechargeable devices that come with their own chargers, especially ones that are rather large and could contain storage with malicious code. Similarly, I don’t like the idea of a QR code, particularly one that redirects you to a questionable website. While nothing jumped out to me with these two products, I was incredibly careful when I first started using them. If you get your child one of these devices for Christmas, consider only using USB chargers and not plugging the devices directly into your computer. Similarly, if you can find the correct app without the QR code, that would be the ideal situation, especially if your RC car shows up in a box that looks open with instructions that look crammed in as an afterthought.
At the end of the day, only you can decide if you trust these vehicles. Since you connect to their access point, that minimizes the risk of them accessing devices on your network. I suppose they could wait for your phone or tablet to connect, compromise it, and have malicious software that waits to connect to devices on a real network, but I’m going to call that one far-fetched. I don’t think these devices are necessarily malicious, they are simply not well designed.
While I think these would make a suitable gift for a teenager, I wouldn’t want to give them to a child unless I was using the toy with them at all times and ensured that there was nothing confidential visible and that we were in a safe place where a rogue RC Car won’t cause damage. It’s a fun toy, unless you’re my cat – he only liked it when it moved slowly – so I wouldn’t say don’t buy it, I’d just say exercise caution when using it.
Hacking Christmas Gifts: Putting IoT Under the Microscope