Skip to content ↓ | Skip to navigation ↓

If high-tech gadgets are on your holiday shopping list, it is worth taking a moment to think about the particular risks they may bring. Under the wrong circumstances, even an innocuous gift may introduce unexpected vulnerabilities. In this blog series, VERT will be looking at some of the Internet’s best-selling holiday gifts with an eye toward their possible security implications. Some of the risks discussed in this series may be over the top and even comical while others may highlight realistic problems you may not have considered.

In this post I’ll be looking at the Artie 3000 Coding Robot from Educational Insights. The Artie 3000 is a small robotic vehicle equipped with a pen for drawing. The robot is programmed via WiFi and can move forward or backward specified distances, rotate a specified number of degrees, and raise or lower the pen. Some readers may already be familiar with this as a form of turtle graphics. My first introduction to this concept was with a Logo programming language on the Apple IIe at school. I fondly remember typing out long lists of instructions and watching in amazement as the little on-screen turtle darted around the screen gradually drawing out whatever spirograph-esque pattern was described by the algorithm. The Logo programming language, which dates back to 1967, has many implementations aimed at introducing students to concepts of logic and programming. Artie 3000 continues in this tradition by allowing the user to create real-world turtle graphics using a variety of visual and textual programming languages.

Threat

Artie 3000 does not handle sensitive data (beyond perhaps a Wi-Fi passphrase) or pose any physical threat. This greatly reduces, but does not completely eliminate, Artie’s attack surface. A compromised robot could be used as a beachhead to deliver malware or exploits to connecting clients or even other systems on a connected network. An attacker who compromised an Artie 3000 could potentially use it to deliver malware to an unwitting user or to relay attacks onto other devices on the network.  

Attack Surface

Artie 3000 does not require a username or password to operate so we should assume that all of Artie’s functionality is potentially exposed to the attacker. My first thought was to see if the wireless configuration could be subverted for command injection or cross-site scripting. Some quick tests did not reveal weakness and so I moved on to looking at the exposed programming environments. Artie provides visual programming with Blockly as well as textual programming via JavaScript or Python. This seems like it could be a critical attack surface but a further examination reveals that everything runs client-side and only results in WebSocket instructions telling the robot to move. Python support is delivered by Skulpt with robotic controls apparently coming from the Mirobot project based on comments in the web application source.

After my initial attempts to find low-hanging fruit proved unsuccessful, I started wondering about the underlying system architecture. The MAC address was not associated with a specific vendor but an FCC lookup is more informative. (https://fccid.io/ is a great resource!)

Espressif ESPused in Artie

This image from the FCC evaluation show that an Espressif ESP chipset is at the core of this robot. This is a lightweight microcontroller design which further limits the types of vulnerabilities I might look for and how they would be exploited. Command injection is not applicable here and the less common instruction set makes memory-corruption-based attacks more challenging.

Security Impact Conclusions

Although the lack of access controls is not ideal, I don’t see much likelihood of Artie being the subject of any attacks. Between the way it is used, the relatively slim design, and lack of cloud connectivity, there is simply nothing to make this device an easy or attractive target. I do however see the possibility for Artie and other coding toys to have a long-term positive security impact by planting the seed of curiosity in a new generation. Beyond sparking interest, it seems obvious to me that playing with Artie could help develop a child’s ability for logical thought and mechanical intuition. Unlike my experiences with programming Logo on that Apple IIe, using Artie successfully requires more than just entering the right sequence of commands. Using Artie well requires an appreciation of the physical process and how to debug problems like a sliding paper or a false movement. This blending of coding with the real-world may be exactly what the next generation needs to get into the headspace to solve the problems posed by an Internet of Things.