About 5 months ago I ordered a n̵e̵w̵ ̵t̵o̵y̵ ̵f̵o̵r̵ ̵m̵e̵ Christmas present for my son. A Toniebox. It seems there was quite a hype about them at the time since it took almost half a year until it finally arrived, but that is another story.
It’s basically a very simple audio player for kids, where you play an audiobook by placing the appropriate toy figure (a “tonie”) on it and it starts playing.
The content gets downloaded from the companie’s servers and cached on the device.
Of course I wanted to have a closer look from the technical side at it, so here are my findings:
After I take the Toniebox out of its box (the Toniebox-box?) and put it onto the charging station it greets me with an audio-message (it has no display) saying that it needs to be set up. On my phone I’m already on the company website’s setup page following the wizard.
Of course my laptop and home WiFi are already prepared so that all traffic gets routed through an ssl-intercepting proxy running on the laptop.
At a certain step I have to switch my phone to the Toniebox' own setup WiFi network. What’s really nice is that the setup wizard automatically redirects at this step to the toniebox’ IP address (192.168.1.1) and the wizard page there has the same styling as the previous steps’ pages, so normal users probably won’t even notice that they are no longer using “the internet” here.
Now I choose my home network, enter the passphrase and click next.
Almost instantly the box tells me “Fehlercode Eule” (German for “Errorcode owl”). I look at my proxy output and see this:
Hmm, so the box seems to care about ssl certificates,̷ ̷b̷u̷m̷m̷e̷r̷, very good, that’s how it should be.
So I quickly disable the proxy and retry the configuration, now it works.
Before I put the tonie on there (it downloads the content on “first contact” with a new tonie) I re-enable the proxy again, just in case they were sloppy and only check certificates for some initial handshake. But again, they did a good job and we hear from our good friend the owl again.
So after disabling the proxy again and while enjoying the audiobook about a tiger that can’t write, I tinker around a bit more.
The good news is that the box does NOT do any more unnecessary server-calls when I put the figure on it the next times or on play pause / other actions. So no creepy spying, hooray.
Next up: portscan!
But again, a quick and an extensive scan both show no problems, everything closed down:
Next step: Looking at the hardware side
The documentation from the vendor and from websites is (probably on purpose) not very clear here. Sometimes it mentions RFID sometimes NFC.
The way I have encountered these technologies so far is that RFID tokens are typically really dumb “wireless-barcodes” basically, that just transmit their id. So these would be really easy to clone.
NFC on the other hand can act as a dumb ID, but more often than not uses more sophisticated challenge-response mechanisms since the chips in them are basically smartcards (like your banking card) so they can do arbitrary computations. In other words: basically impossible to copy.
My first attempt is to read the tonie with an NFC reader app on my phone, sadly with no results (did not get recognized as an NFC tag).
NOTE: I know there also are more sophisticated chips in use with RFID technology, I’m just saying this is what I’ve typically come across so far.
Next try: feed some other RFID tags/cards to the toniebox and see if it reacts in any way — blinking, sound, network-traffic:
However, also nothing.
The toniebox seems to be a really well made product that cares about the customers privacy and security. Naturally it’s also in the company’s best interest to make it reasonably difficult to copy the tonies for example. Sadly this also makes it harder to tinker with the product of course.
This round goes to the toniebox, but I’m not giving up yet :)
Next possible steps:
- Take a look at the webserver which is running during the setup process (where we tell the toniebox about our home WiFi)
- Try to read the tonie with an RFID reader
More ideas what I could try are welcome of course! Let me know in the comments.