First quick security impressions of the “Toniebox”

Paul Klingelhuber

About 5 months ago I ordered a n̵e̵w̵ ̵t̵o̵y̵ ̵f̵o̵r̵ ̵m̵e̵ Christmas present for my son. A Toniebox. It seems there was quite a hype about them at the time since it took almost half a year until it finally arrived, but that is another story.

It’s basically a very simple audio player for kids, where you play an audiobook by placing the appropriate toy figure (a “tonie”) on it and it starts playing.

The content gets downloaded from the companie’s servers and cached on the device.

Of course I wanted to have a closer look from the technical side at it, so here are my findings:

After I take the Toniebox out of its box (the Toniebox-box?) and put it onto the charging station it greets me with an audio-message (it has no display) saying that it needs to be set up. On my phone I’m already on the company website’s setup page following the wizard.

Of course my laptop and home WiFi are already prepared so that all traffic gets routed through an ssl-intercepting proxy running on the laptop.

At a certain step I have to switch my phone to the Toniebox' own setup WiFi network. What’s really nice is that the setup wizard automatically redirects at this step to the toniebox’ IP address (192.168.1.1) and the wizard page there has the same styling as the previous steps’ pages, so normal users probably won’t even notice that they are no longer using “the internet” here.

Now I choose my home network, enter the passphrase and click next.

Almost instantly the box tells me “Fehlercode Eule” (German for “Errorcode owl”). I look at my proxy output and see this:

MITMproxy errormessage

Hmm, so the box seems to care about ssl certificates,̷ ̷b̷u̷m̷m̷e̷r̷, very good, that’s how it should be.

So I quickly disable the proxy and retry the configuration, now it works.

Before I put the tonie on there (it downloads the content on “first contact” with a new tonie) I re-enable the proxy again, just in case they were sloppy and only check certificates for some initial handshake. But again, they did a good job and we hear from our good friend the owl again.

So after disabling the proxy again and while enjoying the audiobook about a tiger that can’t write, I tinker around a bit more.

The good news is that the box does NOT do any more unnecessary server-calls when I put the figure on it the next times or on play pause / other actions. So no creepy spying, hooray.

Next up: portscan!

But again, a quick and an extensive scan both show no problems, everything closed down:

Nmap summary
Nmap textual output

Next step: Looking at the hardware side

The documentation from the vendor and from websites is (probably on purpose) not very clear here. Sometimes it mentions RFID sometimes NFC.

The way I have encountered these technologies so far is that RFID tokens are typically really dumb “wireless-barcodes” basically, that just transmit their id. So these would be really easy to clone.

NFC on the other hand can act as a dumb ID, but more often than not uses more sophisticated challenge-response mechanisms since the chips in them are basically smartcards (like your banking card) so they can do arbitrary computations. In other words: basically impossible to copy.

My first attempt is to read the tonie with an NFC reader app on my phone, sadly with no results (did not get recognized as an NFC tag).

NOTE: I know there also are more sophisticated chips in use with RFID technology, I’m just saying this is what I’ve typically come across so far.

Next try: feed some other RFID tags/cards to the toniebox and see if it reacts in any way — blinking, sound, network-traffic:

Putting any RFID token on there I can find

However, also nothing.

Summary

The toniebox seems to be a really well made product that cares about the customers privacy and security. Naturally it’s also in the company’s best interest to make it reasonably difficult to copy the tonies for example. Sadly this also makes it harder to tinker with the product of course.

This round goes to the toniebox, but I’m not giving up yet :)

Next possible steps:

  • Take a look at the webserver which is running during the setup process (where we tell the toniebox about our home WiFi)
  • Try to read the tonie with an RFID reader

More ideas what I could try are welcome of course! Let me know in the comments.

Paul Klingelhuber

Written by

Software engineer from Austria. Passionate about software, likes photography, addicted to podcasts and always busy. http://paukl.at

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade