New Study Finds Poorly Secured Smart Toys Lets Attackers Listen In On Your Kids
from the barbie-needs-a-better-firewall dept
We’ve long noted how the painful lack of security and privacy standards in the internet of (broken) things is also very well-represented in the world of connected toys. Like IOT vendors, toymakers were so eager to make money, they left even basic privacy and security standards stranded in the rear view mirror as they rush to connect everything to the internet. As a result, we’ve seen repeated instances where your kids’ conversations and interests are being hoovered up without consent, with the data frequently left unencrypted and openly accessible in the cloud.
With Luddites everywhere failing to realize that modern Barbie needs a better firewall, this is increasingly becoming a bigger problem. The latest case in point: new research by Which? and the German consumer group Stiftung Warentest found yet more flaws in Bluetooth and wifi-enabled toys that allow a total stranger to listen in on or chat up your toddler:
“The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets.
With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access. Little technical knowhow was needed to hack into the toys to start sharing messages with a child.
Again, the problem isn’t just bad security, it’s the total lack of security:
“With the i-Que Intelligent Robot, available from Argos and Hamleys, the investigation discovered that anyone could download the app, find an i-Que within their Bluetooth range and start using the robot?s voice by typing into a text field. The toy is made by Genesis, which also manufactures the My Friend Cayla doll, recently banned in Germany owing to security and hacking concerns. Both toys are distributed in the UK by Vivid.”
Genesis was already facing a lawsuit here in the States accusing it of violating COPPA (the Childrens? Online Privacy Protection Act of 1998) by failing to adequately inform parents’ that their kids conversations and personal data collected by the toys are being shipped off to servers and third-party companies. Said lawsuit also points out how the privacy policies governing the collection of kids’ data aren’t clear, aren’t prominently displayed, and often change without notice. Overseas the reaction has been notably more hysterical, with German regulators urging parents to destroy these not-so-smart dolls or pay massive fines.
As is usually the case, the companies responsible for this total privacy and security failure like to portray these flaws as limited in scope and unlikely to be exploited:
“The British Toy and Hobby Association, of which Vivid and Hasbro are members, said: ?The industry takes its responsibilities incredibly seriously when making products for children, with BTHA members investing heavily in everything from toy safety to data privacy and online security.
“We are aware of the Which? report, but understand the circumstances in which these investigations have taken place rely on a perfect set of circumstances and manipulation of the toys and the software that make the outcome highly unlikely in reality.”
Again though, this is often not just vulnerabilities we’re talking about, but no security or privacy standards whatsoever. The idea that this isn’t being exploited, however infrequent, seems unlikely — especially as the media highlights more and more similar flaws. And again, with the internet of broken things introducing millions of new attack vectors into homes and businesses worldwide every day, the impact from this sort of privacy and security apathy will be cumulative.
Filed Under: iot, kids, privacy, smart toys, surveillance
Comments on “New Study Finds Poorly Secured Smart Toys Lets Attackers Listen In On Your Kids”
HUH? Why blame "Luddites" for LOUSY technology?
You’re ranting AGAINST technology here, doing the very thing that supposedly defines “Luddite”, you feeble little netwit!
This piece more clearly than usual shows that your writing method is to sketch a rant then spice it up with mixed and mangled phrases, topped with a few pejoratives.
It’s why I suspect that YOU are a only disappointing experiment in AI.
Anyway. Nothing more than a rant you overheard in a bar. Not a hint of fix, that corporate officers should be hanged for easily avoidable flaws, just vague “well, that’s capitalism for you”.
Re: HUH? Why blame "Luddites" for LOUSY technology?
“This piece more clearly than usual shows that your writing method is to sketch a rant then spice it up with mixed and mangled phrases, topped with a few pejoratives.”
I think you should print out this sentence, frame it, and hang it on your screen.
Re: HUH? Why blame "Luddites" for LOUSY technology?
I was particularly entertained by the omission of the simple point that bluetooth has incredibly short range – 100 meters in perfect conditions for class 1, 10m for class 2, and effective ranges of “inside the room” for the most part. While it is often similar power to wifi, it’s frequency range isn’t very good at getting through walls and whatnot.
So while hackable, the hacker would need to be pretty darn close to your child to start with. Perhaps that is a little more worrying!
WiFi is a bigger issue, and will always be. However, considering many of us have a hard time to get wifi through out our homes to work properly, you once again get into a situation where the hacker has to be reasonably close to get connected. Seems more creepy than anything.
Re: Re: HUH? Why blame "Luddites" for LOUSY technology?
If Elmo tells your kid to go outside and get into the nice white van, will your kid disobey?
“The industry takes its responsibilities incredibly seriously when it looks like you might actually fine us & hold us accountable for saving a couple cents.”
Most people still think they live in a “free society”…
NASA to baby, CB to off-radio
This reminds me of waking up one morning to “Breaker Breaker One Nine, What is your handle?” on my radio — that was turned off — about 25 years ago. The neighbor’s CB wasn’t shielded properly and he had a huge antenna.
Or how about the one where the baby monitor was picking up from NASA? Sometimes even picking up the video.
Both of these can be found on the internet.
Does anyone remember the "Talky Tina" twilight zone episode?
I think at this point, it’s due a technology-driven update.
I expect that the major limiting factor in exploiting these poorly secured devices is a shortage of attackers, relative to the number of easy targets available. I’m not saying there aren’t attackers, only that there aren’t enough of them to make full use of the many many opportunities that IoT vendors have made available. Exploiting children’s toys is a bit more interactive and less scriptable than the financial / identity fraud discussed in other stories.
Do you think we could get them to babysit while they’re listening in?
Toy makers are still blinded by “data==$$”-think, for which they are obliged to abandon the reputation-economy.
These toys take care of the children. Think of them. /s
The danger of access by unauthorized third parties is a real one, but
I think the danger of access by the manufacturer (even though it
“authorizes” itself to do this) is a much bigger one. If it follows
the usual practices, it will use that data to recognize and profile
people. Furthermore, the US government can take any and all of the
data at any time through a “national security letter.”
Just because you and I are no longer children does not mean this isn’t
dangerous to us. I’ve decided not to accept any such “connected”
devices — no exceptions.
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)