Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Hacking Christmas Gifts: Remote Control Cars
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Hacking Christmas Gifts: Remote Control Cars

5 years ago Tyler Reguly
Hacking Christmas Gifts: Remote Control Cars

If high-tech gadgets are on your holiday shopping list, it is worth taking a moment to think about the particular risks they may bring. Under the wrong circumstances, even an innocuous gift may introduce unexpected vulnerabilities. In this blog series, VERT will be looking at some of the Internet’s best-selling holiday gifts with an eye toward their possible security implications. Some of the risks discussed in this series may be over the top and even comical while others may highlight realistic problems you may not have considered.

Looking at Remote Controls Cars

When I was a kid, there was nothing cooler than a remote control car. It was the gift I wanted every year, and, over the years, I got a couple. This year, I got a couple more. They use different controllers, but they are essentially the same. I would share the models, but they don’t really have model or manufacturer names. If you search for ‘wifi camera remote control car’ on Amazon, you’ll find dozens of these devices mostly shipping from China.

One of the two cars came with a clip-on camera, while the other is built into the chassis. Based on their WIFI names, we’ll call the clip-on camera H-car and the other L-car for the duration of this review. The H-car has a much cooler trigger controller, while the L-car has the simpler stick controller. Both controllers have a place to clip in your cell phone in order to watch the transmitted video.

When the cars arrived, they were in very different states. The H-car was nicely packaged and ready to go. The L-car came in an open box and looked like it had been used previously. The H-car QR code directed me to the app store on both IOS and Android in order to download the app, while the L-car tried to direct me to a website with no English content. Given the instructions for the L-car looked like they had been shoved in as an afterthought (or maybe when the package was opened), this wasn’t surprising.

In both cases, the cars create their own access points that allow the apps to connect to them and, in the case of the removable camera, the access point appears to be built to work with both cars and drones. In fact, I found several products using the same software. These are, of course, completely open access points that you cannot password protect, which brings us to the first issue.

ISSUE #1

When these devices are turned on, the WIFI access point (AP) is accessible and completely open. This means that anyone can connect to the device. It also means that anyone can send commands via the apps if they recognize the AP naming scheme. This will allow them to not only control the car, but also watch video streaming from it. This could be a major violation of your privacy. Imagine your child forgets their remote control car on, someone outside your home could now drive this car around and get detailed images of the inside of your home.

I suppose you are probably thinking that they would need to recognize the WIFI name and know the software involved. Since there aren’t that many of these controllers and they are reused across products, it is feasible that home invaders could have all the apps and learn to identify the names. Even if they don’t, these products use the Real Time Streaming Protocol (RTSP) to transmit video. Instead of using the various apps, they could just look for open WIFI access points, connect to them, and check the gateway for an RTSP stream with a tool like VLC. If they are looking to automate this as they drive around a neighborhood, they could even use a Python script to find and download stream data for review later. I found a project online designed to capture the video from one of these devices via Python and the code wasn’t that complex.

ISSUE #2

That is not, however, the only issue. This one might fall into the sibling prank category, but it could also be used to annoy a neighbor or even for malicious purposes. When you connect to the access point, you control the vehicle. So, via the app, you could drive the car around the house (as mentioned above), but you could do something more dangerous. What if a horrible person takes control of the car as your child is playing outside and drives it into traffic. It’s a disgusting thought, but it’s definitely a reason why I would never give one of the cars to a child. I was actually happy to see that one of the cars (L-car) was labeled 14+.

Beyond that, you don’t even need the app. The device communicates over UDP for app commands, which means that anyone can simply inject data to drive the car. I spent a while mapping the controls and came up with a list of packets that will cause the car to go Forward, Backward, Forward/Left, Forward/Right, Backward/Left, and Backward/Right. I could, in theory, if one of my neighbors in my apartment building got one for Christmas, write a script that simply causes the car to drive in circles. This is why I called it the sibling prank category. I could see a younger version of myself, torturing my little sister by having the car drive in circles every time she tried to use it.

ISSUE #3

This last issue is less of an issue and more of a concern. I’m not a fan of these USB rechargeable devices that come with their own chargers, especially ones that are rather large and could contain storage with malicious code. Similarly, I don’t like the idea of a QR code, particularly one that redirects you to a questionable website. While nothing jumped out to me with these two products, I was incredibly careful when I first started using them. If you get your child one of these devices for Christmas, consider only using USB chargers and not plugging the devices directly into your computer. Similarly, if you can find the correct app without the QR code, that would be the ideal situation, especially if your RC car shows up in a box that looks open with instructions that look crammed in as an afterthought.

Wrapping Up!

At the end of the day, only you can decide if you trust these vehicles. Since you connect to their access point, that minimizes the risk of them accessing devices on your network. I suppose they could wait for your phone or tablet to connect, compromise it, and have malicious software that waits to connect to devices on a real network, but I’m going to call that one far-fetched. I don’t think these devices are necessarily malicious, they are simply not well designed.

While I think these would make a suitable gift for a teenager, I wouldn’t want to give them to a child unless I was using the toy with them at all times and ensured that there was nothing confidential visible and that we were in a safe place where a rogue RC Car won’t cause damage. It’s a fun toy, unless you’re my cat – he only liked it when it moved slowly – so I wouldn’t say don’t buy it, I’d just say exercise caution when using it.

Further Reading:

Hacking Christmas Gifts: Putting IoT Under the Microscope

Hacking Christmas Gifts: Artie Drawing Robot

The post ” Hacking Christmas Gifts: Remote Control Cars” appeared first on TripWire

Source:TripWire – Tyler Reguly

Tags: Android, High Severity, Privacy, TripWire

Continue Reading

Previous A Review of Ransomware in 2020
Next A Google Docs Bug Could Have Allowed Hackers See Your Private Documents

More Stories

  • Critical Vulnerability
  • Data Breach
  • Vulnerabilities

Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries

2 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack

15 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories

19 hours ago [email protected] (The Hacker News)
  • Data Breach

The Buyer’s Guide to AI Usage Control

20 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

22 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

1 day ago [email protected] (The Hacker News)

Recent Posts

  • Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries
  • AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack
  • ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories
  • The Buyer’s Guide to AI Usage Control
  • Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT