New Study Finds Poorly Secured Smart Toys Lets Attackers Listen In On Your Kids

from the barbie-needs-a-better-firewall dept

We’ve long noted how the painful lack of security and privacy standards in the internet of (broken) things is also very well-represented in the world of connected toys. Like IOT vendors, toymakers were so eager to make money, they left even basic privacy and security standards stranded in the rear view mirror as they rush to connect everything to the internet. As a result, we’ve seen repeated instances where your kids’ conversations and interests are being hoovered up without consent, with the data frequently left unencrypted and openly accessible in the cloud.

With Luddites everywhere failing to realize that modern Barbie needs a better firewall, this is increasingly becoming a bigger problem. The latest case in point: new research by Which? and the German consumer group Stiftung Warentest found yet more flaws in Bluetooth and wifi-enabled toys that allow a total stranger to listen in on or chat up your toddler:

“The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets.

With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access. Little technical knowhow was needed to hack into the toys to start sharing messages with a child.

Again, the problem isn’t just bad security, it’s the total lack of security:

“With the i-Que Intelligent Robot, available from Argos and Hamleys, the investigation discovered that anyone could download the app, find an i-Que within their Bluetooth range and start using the robot?s voice by typing into a text field. The toy is made by Genesis, which also manufactures the My Friend Cayla doll, recently banned in Germany owing to security and hacking concerns. Both toys are distributed in the UK by Vivid.”

Genesis was already facing a lawsuit here in the States accusing it of violating COPPA (the Childrens? Online Privacy Protection Act of 1998) by failing to adequately inform parents’ that their kids conversations and personal data collected by the toys are being shipped off to servers and third-party companies. Said lawsuit also points out how the privacy policies governing the collection of kids’ data aren’t clear, aren’t prominently displayed, and often change without notice. Overseas the reaction has been notably more hysterical, with German regulators urging parents to destroy these not-so-smart dolls or pay massive fines.

As is usually the case, the companies responsible for this total privacy and security failure like to portray these flaws as limited in scope and unlikely to be exploited:

“The British Toy and Hobby Association, of which Vivid and Hasbro are members, said: ?The industry takes its responsibilities incredibly seriously when making products for children, with BTHA members investing heavily in everything from toy safety to data privacy and online security.

“We are aware of the Which? report, but understand the circumstances in which these investigations have taken place rely on a perfect set of circumstances and manipulation of the toys and the software that make the outcome highly unlikely in reality.”

Again though, this is often not just vulnerabilities we’re talking about, but no security or privacy standards whatsoever. The idea that this isn’t being exploited, however infrequent, seems unlikely — especially as the media highlights more and more similar flaws. And again, with the internet of broken things introducing millions of new attack vectors into homes and businesses worldwide every day, the impact from this sort of privacy and security apathy will be cumulative.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “New Study Finds Poorly Secured Smart Toys Lets Attackers Listen In On Your Kids”

Subscribe: RSS Leave a comment
Anonymous Coward says:

HUH? Why blame "Luddites" for LOUSY technology?

You’re ranting AGAINST technology here, doing the very thing that supposedly defines “Luddite”, you feeble little netwit!

This piece more clearly than usual shows that your writing method is to sketch a rant then spice it up with mixed and mangled phrases, topped with a few pejoratives.

It’s why I suspect that YOU are a only disappointing experiment in AI.

Anyway. Nothing more than a rant you overheard in a bar. Not a hint of fix, that corporate officers should be hanged for easily avoidable flaws, just vague “well, that’s capitalism for you”.

MyNameHere (profile) says:

Re: HUH? Why blame "Luddites" for LOUSY technology?

I was particularly entertained by the omission of the simple point that bluetooth has incredibly short range – 100 meters in perfect conditions for class 1, 10m for class 2, and effective ranges of “inside the room” for the most part. While it is often similar power to wifi, it’s frequency range isn’t very good at getting through walls and whatnot.

So while hackable, the hacker would need to be pretty darn close to your child to start with. Perhaps that is a little more worrying!

WiFi is a bigger issue, and will always be. However, considering many of us have a hard time to get wifi through out our homes to work properly, you once again get into a situation where the hacker has to be reasonably close to get connected. Seems more creepy than anything.

Anonymous Coward says:

NASA to baby, CB to off-radio

This reminds me of waking up one morning to “Breaker Breaker One Nine, What is your handle?” on my radio — that was turned off — about 25 years ago. The neighbor’s CB wasn’t shielded properly and he had a huge antenna.

Or how about the one where the baby monitor was picking up from NASA? Sometimes even picking up the video.

Both of these can be found on the internet.

Anonymous Coward says:

I expect that the major limiting factor in exploiting these poorly secured devices is a shortage of attackers, relative to the number of easy targets available. I’m not saying there aren’t attackers, only that there aren’t enough of them to make full use of the many many opportunities that IoT vendors have made available. Exploiting children’s toys is a bit more interactive and less scriptable than the financial / identity fraud discussed in other stories.

Richard Stallman says:

The danger of access by unauthorized third parties is a real one, but
I think the danger of access by the manufacturer (even though it
“authorizes” itself to do this) is a much bigger one. If it follows
the usual practices, it will use that data to recognize and profile
people. Furthermore, the US government can take any and all of the
data at any time through a “national security letter.”

Just because you and I are no longer children does not mean this isn’t
dangerous to us. I’ve decided not to accept any such “connected”
devices — no exceptions.

Dr Richard Stallman
President, Free Software Foundation (,
Internet Hall-of-Famer (
MacArthur Fellow

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...