New Study Finds Poorly Secured Smart Toys Lets Attackers Listen In On Your Kids
from the barbie-needs-a-better-firewall dept
We've long noted how the painful lack of security and privacy standards in the internet of (broken) things is also very well-represented in the world of connected toys. Like IOT vendors, toymakers were so eager to make money, they left even basic privacy and security standards stranded in the rear view mirror as they rush to connect everything to the internet. As a result, we've seen repeated instances where your kids' conversations and interests are being hoovered up without consent, with the data frequently left unencrypted and openly accessible in the cloud.
With Luddites everywhere failing to realize that modern Barbie needs a better firewall, this is increasingly becoming a bigger problem. The latest case in point: new research by Which? and the German consumer group Stiftung Warentest found yet more flaws in Bluetooth and wifi-enabled toys that allow a total stranger to listen in on or chat up your toddler:
"The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets.
With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access. Little technical knowhow was needed to hack into the toys to start sharing messages with a child.
Again, the problem isn't just bad security, it's the total lack of security:
"With the i-Que Intelligent Robot, available from Argos and Hamleys, the investigation discovered that anyone could download the app, find an i-Que within their Bluetooth range and start using the robot’s voice by typing into a text field. The toy is made by Genesis, which also manufactures the My Friend Cayla doll, recently banned in Germany owing to security and hacking concerns. Both toys are distributed in the UK by Vivid."
Genesis was already facing a lawsuit here in the States accusing it of violating COPPA (the Childrens’ Online Privacy Protection Act of 1998) by failing to adequately inform parents' that their kids conversations and personal data collected by the toys are being shipped off to servers and third-party companies. Said lawsuit also points out how the privacy policies governing the collection of kids' data aren't clear, aren't prominently displayed, and often change without notice. Overseas the reaction has been notably more hysterical, with German regulators urging parents to destroy these not-so-smart dolls or pay massive fines.
As is usually the case, the companies responsible for this total privacy and security failure like to portray these flaws as limited in scope and unlikely to be exploited:
"The British Toy and Hobby Association, of which Vivid and Hasbro are members, said: “The industry takes its responsibilities incredibly seriously when making products for children, with BTHA members investing heavily in everything from toy safety to data privacy and online security.
"We are aware of the Which? report, but understand the circumstances in which these investigations have taken place rely on a perfect set of circumstances and manipulation of the toys and the software that make the outcome highly unlikely in reality."
Again though, this is often not just vulnerabilities we're talking about, but no security or privacy standards whatsoever. The idea that this isn't being exploited, however infrequent, seems unlikely -- especially as the media highlights more and more similar flaws. And again, with the internet of broken things introducing millions of new attack vectors into homes and businesses worldwide every day, the impact from this sort of privacy and security apathy will be cumulative.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: iot, kids, privacy, smart toys, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
HUH? Why blame "Luddites" for LOUSY technology?
This piece more clearly than usual shows that your writing method is to sketch a rant then spice it up with mixed and mangled phrases, topped with a few pejoratives.
It's why I suspect that YOU are a only disappointing experiment in AI.
Anyway. Nothing more than a rant you overheard in a bar. Not a hint of fix, that corporate officers should be hanged for easily avoidable flaws, just vague "well, that's capitalism for you".
[ link to this | view in chronology ]
Re: HUH? Why blame "Luddites" for LOUSY technology?
I think you should print out this sentence, frame it, and hang it on your screen.
[ link to this | view in chronology ]
Re: HUH? Why blame "Luddites" for LOUSY technology?
So while hackable, the hacker would need to be pretty darn close to your child to start with. Perhaps that is a little more worrying!
WiFi is a bigger issue, and will always be. However, considering many of us have a hard time to get wifi through out our homes to work properly, you once again get into a situation where the hacker has to be reasonably close to get connected. Seems more creepy than anything.
[ link to this | view in chronology ]
Re: Re: HUH? Why blame "Luddites" for LOUSY technology?
[ link to this | view in chronology ]
"The industry takes its responsibilities incredibly seriously when it looks like you might actually fine us & hold us accountable for saving a couple cents."
[ link to this | view in chronology ]
[ link to this | view in chronology ]
NASA to baby, CB to off-radio
Or how about the one where the baby monitor was picking up from NASA? Sometimes even picking up the video.
Both of these can be found on the internet.
[ link to this | view in chronology ]
Does anyone remember the "Talky Tina" twilight zone episode?
I think at this point, it's due a technology-driven update.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Something useful
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I think the danger of access by the manufacturer (even though it
"authorizes" itself to do this) is a much bigger one. If it follows
the usual practices, it will use that data to recognize and profile
people. Furthermore, the US government can take any and all of the
data at any time through a "national security letter."
Just because you and I are no longer children does not mean this isn't
dangerous to us. I've decided not to accept any such "connected"
devices -- no exceptions.
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
MacArthur Fellow
[ link to this | view in chronology ]