Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Penetration Testing, Cyber Security

The Hackable Home: Hug me and tell me your secrets

The Hackable Home: Hug me and tell me your secrets
Written by

Elliott Thompson

Published on

9 May 2017

The Hackable Home: Hug me and tell me your secrets


SureCloud recently partnered with ‘Which?’ to demonstrate some of the risks that exist in the internet-connected home, through identifying and exploiting vulnerabilities within a range of popular Internet of Things (IoT) devices. For the project, ‘Which?’ created a test environment, filling a house with a range of readily available internet connected devices, such as the CloudPets plush cat.

The project exposed a number of the methods that hackers can use to access our lives and disrupt our internet-enabled devices. One such vector, ‘Which?’, were keen for us to explore. Part of the project was long range, looking to see if digital signals could be intercepted without being within the normal range of devices using Bluetooth Low Energy (BTLE). Our goal was to see if we could retrieve a recording from the CloudPets plush toy from over a long distance.

Android Proof of Concept

To get the full version of the proof of concept working, we needed an Android phone with a 32bit processor. To mimic the speed at which hackers typically work, we were limited on time, and following a trip to the nearest CEX we purchased an Alcatel Onetouch Pixi3, the only phone in the store that had a 32bit ARM processor.

However, the latest version of Android that was officially supported on the Pixi3 was KitKat, from 3 years ago, which is not supported by Termux. Fortunately, there is an old build of CyanogenMod on Lollipop that delivered the minimum requirements for Termux.


However, the Pixi3 does not support BTLE, and thus Chrome’s web Bluetooth does not work on the device. We worked around this by accessing the web page with a phone that has working Bluetooth.

Changing the iptables rules on the Pixi exposed the web interface, but the Web Bluetooth API will only work on secure origins. However, if the origin starts with HTTPS, then it is considered “secure”; meaning it doesn’t matter whether the certificate is trusted or not.

Finally, we had the proof of concept code on the Pixi3 acting as a web server, which could be accessed by my personal Nexus 5 through Stunnel to achieve a secure origin.

Going the Distance

With a working proof of concept, we were able to develop this further, allowing us to exploit the CloudPets weaknesses over a longer distance.

When using the Pixi3 and Nexus 5, our Bluetooth range was severely limited, especially as our target was upwards of 50 meters away. As such, we needed to utilise more powerful hardware. We opted for a UD100 Bluetooth adapter, which has an SMA connector and a 2.4GHz Yagi Antenna.

With the hardware in place, we initially attempted to exploit the cat by plugging the UD100 straight into the Nexus 5 with a USB OTG adapter. After this failed, we re-wrote the proof of concept in Python to work on Linux without the Chrome Web Bluetooth API, with much more success.


For the first step of long range communication we used blue_hydra from Pwnieexpress, and were able to quickly identify the CloudPets toy over Bluetooth from this distance.

The next step was to connect to the device. For manual testing at the start we used “gatttool”, which is part of the Linux bluez suite. Using JavaScript, we could use a simple example to manually transmit over Bluetooth, with “gatttool” to turn on the CloudPets LED.

(Picture taken after we were granted access to the house at the end of the engagement, you can’t see the LED lighting up from across the street)


At this stage we took the commands and used PyGATT to send them using Python. This was relatively straightforward just by using available documentation.

From here, we could send the “Start Recording Audio” command. However, pulling the recorded audio back off the plush was more complicated, so we separated the process into a couple of parts:

  • Setting up notifications on the characteristic ‘xxx-0003-xxx’ with our callback ‘download_ready’ function
  • Sending the “Start Transferring Audio” command
  • Putting all the data together and dropping it to a file
  • Decompressing the audio with the native library

We then combined all of this with the “Start Recording” command, to group everything together. This enabled us to download the compressed audio from the CloudPets toy. There were some issues with this process, where the ‘state’ wouldn’t change quickly enough, so closing the connection based on that didn’t work. Instead, we cut the connection after 60 seconds if the transfer hadn’t finished.

(One of the issues we encountered the same as Context was the compression libraries being 32bit ARM binaries (hence the emergency purchase of the Pixi3). As this was the only device we owned that could run the binaries, we left them in place and just passed everything to the phone over ADB. It was not pretty, but by this point we were happy it was working. Another small challenge was setting up the termux chroot environment so we could access it through ADB.)

Another thing that we did try was to start a second recording whilst the first was being downloaded. This did not go quite as well as we had hoped…

Plus it crashed the cat.

Once we had the compressed audio, we needed to decode and decompress the data. As we only had the Pixi3 connected to ADB, the fastest option was to push the compressed files to it, trigger the decompression and then pull the decompressed files back off again. This was complicated and required a “glue” shell script to get it into the same context as Termux, enabling us to use the CloudPets device as a long-range audio bug. The process could also be reversed to upload audio to the toy – albeit the upload process was much less reliable over long distance than download.

Closing Comments

The BTLE vulnerabilities within these CloudPets toys aren’t just limited to being within the immediate vicinity of them. We’ve now demonstrated that you can exploit the vulnerabilities at 50 metres away, which could mean that you could be next door, over the road, or outside of a location with one of these devices inside, and effectively ‘listen in’ or play messages through them.

‘Which?’ has made multiple attempts to contact CloudPets, including sending direct emails to their CEO around these issues, but have yet to receive any kind of response.

Existing Research

This aspect of the ‘Which?’ project was in no small part simplified, and was accelerated by research conducted by Context IS in February 2017, which is available here:

Context IS Research:

Reference Links