• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Current News   »   Movie Tech Review: Child’s Play 2019

Movie Tech Review: Child’s Play 2019

  • Posted on:June 21, 2019
  • Posted in:Current News
  • Posted by:
    Mark Nunnikhoven (Vice President, Cloud Research)
0
BETRAYED: A Trend Micro Child's Play Tech Review

A while back, Rik & Kasia Ferguson shared their thoughts on the movie, “Unfriended: The Dark Web.” The dark web and technology in general plays a pivotal role in the movie’s plot, so the team decided it would be interesting to have a real-world expert review.

Everyone had a lot of fun, and thus Trend Micro movie reviews were born. I was “fortunate” enough to get the next call. The downside? The movie is, “Child’s Play” and I don’t do horror movies well.

Opening night, I powered through, watched the movie and was…pleasantly surprised?

The Movie

Was there too much gore and violence? Absolutely. However, the movie was a lot better than I expected, with an eerie performance by Mark Hamill as the voice of Chucky. Aubrey Plaza, as Karen, played her role well, which added the only real-relatable character of any depth beyond Chucky.

How does this movie rate in the horror genre? No idea. What I do know is that I enjoyed it more than I expected—which was, an admittedly low bar—and found myself entertained for the duration.

[ Spoilers ahead : scroll down if you’re ok with that ]

⤵️

⬇️

⬇️

⬇️

⬇️

⬇️

⬇️

⬇️

⬇️

⬇️

⬇️

Bad Training Data

Unlike the original entries in the series, this edition brings Chucky into the 21st century. Chucky is no longer a demonically possessed doll, but a blank slate in the form of a nascent AI in a robotic toy doll.

As with any AI or machine learning model, the AI starts off neutral. It requires training data in order to generate results. In Chucky’s case, he is a unique example of the “Buddi” product.

In a classic insider supply chain attack, a QA employee is fired by an overly abusive boss, but before he’s removed from the property, the employee is ordered to finish one last Buddi doll: Chucky.

This employee modifies Chucky’s code to remove any boundary checking for his core behaviours. This creates a truly unbounded, clean slate for the AI that is set out into the world.

Skipping ahead, Chucky is trained on a biased data set. This bias is the naive world view of a group of kids and their run-down neighbourhood. Chucky is exposed to crude humour, horror movies and heated emotional commentary…all without the context to process it.

This tunes the AI to generate the psychotic behaviour that fuels the rest of the movie.

IoT Insecurity

One of the features of this 21st century Buddi doll is the ability to control your smart home. Think of the doll like a walking Alexa or Google Home. Of course, there’s zero authentication or information security controls in place.

Once he’s synced with the latest update from the cloud, Chucky can simply wave his tiny finger and control the devices around him.

This leads to a number of issues around privacy (in this case, used to increase the suspense and move the plot forward) that mirror cases we’ve seen in the real world.

3rd party access to smart speakers to terrorize unsuspecting victims, remote viewing of private video streams, and manipulation of key devices, like thermostats, have all happened already in the real world, but not by rogue AIs.

…yet.

Lateral Movement

In the movie’s climax, Chucky really lets loose. He comes into his digital powers and starts to wreak havoc. Our heroes and supporting cast struggle to respond to this maniacal behaviour. The interesting point is that Chucky has developed enough as a character by this point to understand that it’s not maniacal behaviour from his perspective. To him, it’s perfectly reasonable. This underscores the fact that AI is only as good as it’s training data and won’t highlight bad results from a bad model.

While striving to reach his goal, Chucky—a trusted endpoint in the corporation’s services network—reaches out to all of the compatible devices within his local area.

This type of lateral movement is extremely common in today’s cyberattacks.

The movie presents the issue in an overly dramatic fashion (it is a movie after all), but the point stands up. Most technologies, IoT specifically, are generally designed with two types of endpoints: trusted and untrusted.

Security and privacy controls are then designed to prevent untrusted endpoints from accessing trusted endpoints. Trusted endpoints have little to no verification applied when communicating with each.

In “Child’s Play”, this results in disastrous consequences. In the real world, too.

The movie is a stark—and bloody—reminder that networks and systems need visibility across all endpoints and layers and layers of security and privacy controls.

Takeaways

The way the movie leverages poor AI training, a lack of IoT security, and lateral movement techniques is intriguing, but what really caught my attention is the larger trend within the horror and suspense genre.

Films are moving away from fantasy and otherworldly villains to digital ones. That’s a reflection of how big a role technology plays in our lives, as well as the general lack of deep understanding of how it works.

For me—and the security community—that’s a big challenge: helping people understand cybersecurity and privacy in context.

If you’re looking for a fun suspense film with a technology slant, I would—shockingly— recommend watching this movie. As long as you have realistic exceptions and remember that breaking most current IoT security is…child’s play.

[ 🤣Sorry, couldn’t resist ]

Related posts:

  1. The Synergy of Triple Play
  2. Tech-Challenged Moms Rely on their Savvy Kids
  3. What Enterprise Leaders Should know about Persistent Threats in 2019
  4. Keys to Safeguarding Consumer Data in 2019

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, MĂŠxico
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, EspaĂąa, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.