Tonight’s CSI Cyber: implausible Marla talking doll hack. Fiction stranger than truth for once
A few months ago I was approached by a researcher for CSI Cyber. Yes, the US TV show that fictionalises and stretches the bounds of genuine hacking somewhat.
They had seen our research into My Friend Cayla and wanted to include a talking kids doll in an episode.
I thought long and hard about this; associating ourselves with a show that plays fast and loose with tech reality wasn’t good for our credibility.
However, they seemed genuinely interested in getting the technical facts correct, asking lots of pertinent detail about forensic artefacts that could be found.
Better to give them the material they needed and have the attack look plausible, rather than walk away and have their talking doll look totally far-fetched.
Or so I thought!
We spent a couple of days working on different attack scenarios involving hacking a talking kids doll for the show
The attack, very similar to My Friend Cayla
- Hacker sits in car in street near target house.
- Use a PwnPad (nice and visual for TV) or just a basic tablet seeing as the investigation would rely on the fact that the attacker uses this device as an every-day device, capture & crack the Wi-Fi key for the victim’s wireless network.
- Hacker then accesses their wireless network and turns off the wi-fi of the router, assumes domestic router password is default.
- Hacker creates fake AP. This is a key point – the attacker uses his own mobile device to set up a fake AP, which means that connecting clients will keep a register of its MAC address.
- Child’s Android smartphone/tablet then joins the hacker’s fake access point.
- Hacker can now intercept speech traffic coming from the mobile app and change what is said by the doll to the child, just like Cayla’s Wikipedia lookup function.
- …or, they can modify the local mobile app database to say anything they like in the doll’s voice, like we demonstrated with Cayla.
- …or, just like Cayla, pair with the doll from the attackers smartphone over Bluetooth and use it as a headset, saying anything they like in the attackers own voice.
The investigation path
- Child’s smartphone will have a record of the MAC address of the hackers fake wi-fi access point in hostapd.
- Recover hostapd data, perhaps using ADB. Anything that could access the phone’s file system would work for this, we happened to choose the ADB option as it’s familiar to us.
- After investigating smartphones of two victims of similar attacks, the same MAC address will be found in both hostapd instances . Now there is a trail of evidence to follow.
- The challenge is now to find the hacker from the MAC address. Hard, but not impossible.
The attack was originally to have involved the hacker working at the doll manufacturer, so the investigators would head off to the HQ and sniff Wi-Fi traffic there.
Also potential to investigate router logs, correlate the MAC address of the attacker, triangulate and find them.
There had to be a few assumptions along the line, including that the attacker wasn’t smart enough to flush hostapd, nor spoof MAC addresses. Also that the victim hadn’t set a particularly strong WPA PSK or change their default router admin password.
Finally, there was an assumption that the hacker had taken their attack devices to work with them. Taking a tablet to work wasn’t unreasonable for an amateur…
But it worked and hung together as a plausible attack. There were other options, but these weren’t as visual
We showed them various attack tools that would look OK on camera and would be easy to use; wifite, aircrack the usual suspects.
Instead, something completely different was shown that isn’t based on an attack I’ve seen in the real world. Oh well.
Technical accuracy is often lost in the quest for a story, factual or not.
Watch Mr Robot if you want more accurate tech hacking stories.
Watch the shower scene instead, it’s far more plausible than Marla the talking doll!