A while back, Rik & Kasia Ferguson shared their thoughts on the movie, “Unfriended: The Dark Web.” The dark web and technology in general plays a pivotal role in the movie’s plot, so the team decided it would be interesting to have a real-world expert review.
Everyone had a lot of fun, and thus Trend Micro movie reviews were born. I was “fortunate” enough to get the next call. The downside? The movie is, “Child’s Play” and I don’t do horror movies well.
Opening night, I powered through, watched the movie and was…pleasantly surprised?
Was there too much gore and violence? Absolutely. However, the movie was a lot better than I expected, with an eerie performance by Mark Hamill as the voice of Chucky. Aubrey Plaza, as Karen, played her role well, which added the only real-relatable character of any depth beyond Chucky.
How does this movie rate in the horror genre? No idea. What I do know is that I enjoyed it more than I expected—which was, an admittedly low bar—and found myself entertained for the duration.
[ Spoilers ahead : scroll down if you’re ok with that ]
Bad Training Data
Unlike the original entries in the series, this edition brings Chucky into the 21st century. Chucky is no longer a demonically possessed doll, but a blank slate in the form of a nascent AI in a robotic toy doll.
As with any AI or machine learning model, the AI starts off neutral. It requires training data in order to generate results. In Chucky’s case, he is a unique example of the “Buddi” product.
In a classic insider supply chain attack, a QA employee is fired by an overly abusive boss, but before he’s removed from the property, the employee is ordered to finish one last Buddi doll: Chucky.
This employee modifies Chucky’s code to remove any boundary checking for his core behaviours. This creates a truly unbounded, clean slate for the AI that is set out into the world.
Skipping ahead, Chucky is trained on a biased data set. This bias is the naive world view of a group of kids and their run-down neighbourhood. Chucky is exposed to crude humour, horror movies and heated emotional commentary…all without the context to process it.
This tunes the AI to generate the psychotic behaviour that fuels the rest of the movie.
One of the features of this 21st century Buddi doll is the ability to control your smart home. Think of the doll like a walking Alexa or Google Home. Of course, there’s zero authentication or information security controls in place.
Once he’s synced with the latest update from the cloud, Chucky can simply wave his tiny finger and control the devices around him.
This leads to a number of issues around privacy (in this case, used to increase the suspense and move the plot forward) that mirror cases we’ve seen in the real world.
3rd party access to smart speakers to terrorize unsuspecting victims, remote viewing of private video streams, and manipulation of key devices, like thermostats, have all happened already in the real world, but not by rogue AIs.
In the movie’s climax, Chucky really lets loose. He comes into his digital powers and starts to wreak havoc. Our heroes and supporting cast struggle to respond to this maniacal behaviour. The interesting point is that Chucky has developed enough as a character by this point to understand that it’s not maniacal behaviour from his perspective. To him, it’s perfectly reasonable. This underscores the fact that AI is only as good as it’s training data and won’t highlight bad results from a bad model.
While striving to reach his goal, Chucky—a trusted endpoint in the corporation’s services network—reaches out to all of the compatible devices within his local area.
This type of lateral movement is extremely common in today’s cyberattacks.
The movie presents the issue in an overly dramatic fashion (it is a movie after all), but the point stands up. Most technologies, IoT specifically, are generally designed with two types of endpoints: trusted and untrusted.
Security and privacy controls are then designed to prevent untrusted endpoints from accessing trusted endpoints. Trusted endpoints have little to no verification applied when communicating with each.
In “Child’s Play”, this results in disastrous consequences. In the real world, too.
The movie is a stark—and bloody—reminder that networks and systems need visibility across all endpoints and layers and layers of security and privacy controls.
The way the movie leverages poor AI training, a lack of IoT security, and lateral movement techniques is intriguing, but what really caught my attention is the larger trend within the horror and suspense genre.
Films are moving away from fantasy and otherworldly villains to digital ones. That’s a reflection of how big a role technology plays in our lives, as well as the general lack of deep understanding of how it works.
For me—and the security community—that’s a big challenge: helping people understand cybersecurity and privacy in context.
If you’re looking for a fun suspense film with a technology slant, I would—shockingly— recommend watching this movie. As long as you have realistic exceptions and remember that breaking most current IoT security is…child’s play.
[ 🤣Sorry, couldn’t resist ]