New Study Finds Poorly Secured Smart Toys Lets Attackers Listen In On Your Kids

from the barbie-needs-a-better-firewall dept

We've long noted how the painful lack of security and privacy standards in the internet of (broken) things is also very well-represented in the world of connected toys. Like IOT vendors, toymakers were so eager to make money, they left even basic privacy and security standards stranded in the rear view mirror as they rush to connect everything to the internet. As a result, we've seen repeated instances where your kids' conversations and interests are being hoovered up without consent, with the data frequently left unencrypted and openly accessible in the cloud.

With Luddites everywhere failing to realize that modern Barbie needs a better firewall, this is increasingly becoming a bigger problem. The latest case in point: new research by Which? and the German consumer group Stiftung Warentest found yet more flaws in Bluetooth and wifi-enabled toys that allow a total stranger to listen in on or chat up your toddler:

"The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets.

With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access. Little technical knowhow was needed to hack into the toys to start sharing messages with a child.

Again, the problem isn't just bad security, it's the total lack of security:

"With the i-Que Intelligent Robot, available from Argos and Hamleys, the investigation discovered that anyone could download the app, find an i-Que within their Bluetooth range and start using the robot’s voice by typing into a text field. The toy is made by Genesis, which also manufactures the My Friend Cayla doll, recently banned in Germany owing to security and hacking concerns. Both toys are distributed in the UK by Vivid."

Genesis was already facing a lawsuit here in the States accusing it of violating COPPA (the Childrens’ Online Privacy Protection Act of 1998) by failing to adequately inform parents' that their kids conversations and personal data collected by the toys are being shipped off to servers and third-party companies. Said lawsuit also points out how the privacy policies governing the collection of kids' data aren't clear, aren't prominently displayed, and often change without notice. Overseas the reaction has been notably more hysterical, with German regulators urging parents to destroy these not-so-smart dolls or pay massive fines.

As is usually the case, the companies responsible for this total privacy and security failure like to portray these flaws as limited in scope and unlikely to be exploited:

"The British Toy and Hobby Association, of which Vivid and Hasbro are members, said: “The industry takes its responsibilities incredibly seriously when making products for children, with BTHA members investing heavily in everything from toy safety to data privacy and online security.

"We are aware of the Which? report, but understand the circumstances in which these investigations have taken place rely on a perfect set of circumstances and manipulation of the toys and the software that make the outcome highly unlikely in reality."

Again though, this is often not just vulnerabilities we're talking about, but no security or privacy standards whatsoever. The idea that this isn't being exploited, however infrequent, seems unlikely -- especially as the media highlights more and more similar flaws. And again, with the internet of broken things introducing millions of new attack vectors into homes and businesses worldwide every day, the impact from this sort of privacy and security apathy will be cumulative.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: iot, kids, privacy, smart toys, surveillance


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 16 Nov 2017 @ 4:57pm

    HUH? Why blame "Luddites" for LOUSY technology?

    You're ranting AGAINST technology here, doing the very thing that supposedly defines "Luddite", you feeble little netwit!

    This piece more clearly than usual shows that your writing method is to sketch a rant then spice it up with mixed and mangled phrases, topped with a few pejoratives.

    It's why I suspect that YOU are a only disappointing experiment in AI.

    Anyway. Nothing more than a rant you overheard in a bar. Not a hint of fix, that corporate officers should be hanged for easily avoidable flaws, just vague "well, that's capitalism for you".

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Nov 2017 @ 5:39pm

      Re: HUH? Why blame "Luddites" for LOUSY technology?

      "This piece more clearly than usual shows that your writing method is to sketch a rant then spice it up with mixed and mangled phrases, topped with a few pejoratives."

      I think you should print out this sentence, frame it, and hang it on your screen.

      link to this | view in chronology ]

    • icon
      MyNameHere (profile), 17 Nov 2017 @ 1:42am

      Re: HUH? Why blame "Luddites" for LOUSY technology?

      I was particularly entertained by the omission of the simple point that bluetooth has incredibly short range - 100 meters in perfect conditions for class 1, 10m for class 2, and effective ranges of "inside the room" for the most part. While it is often similar power to wifi, it's frequency range isn't very good at getting through walls and whatnot.

      So while hackable, the hacker would need to be pretty darn close to your child to start with. Perhaps that is a little more worrying!

      WiFi is a bigger issue, and will always be. However, considering many of us have a hard time to get wifi through out our homes to work properly, you once again get into a situation where the hacker has to be reasonably close to get connected. Seems more creepy than anything.

      link to this | view in chronology ]

      • icon
        Bergman (profile), 18 Nov 2017 @ 11:57am

        Re: Re: HUH? Why blame "Luddites" for LOUSY technology?

        If Elmo tells your kid to go outside and get into the nice white van, will your kid disobey?

        link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 16 Nov 2017 @ 5:07pm

    LMFTFY

    "The industry takes its responsibilities incredibly seriously when it looks like you might actually fine us & hold us accountable for saving a couple cents."

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Nov 2017 @ 5:21pm

    Most people still think they live in a "free society"...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Nov 2017 @ 5:27pm

    NASA to baby, CB to off-radio

    This reminds me of waking up one morning to "Breaker Breaker One Nine, What is your handle?" on my radio -- that was turned off -- about 25 years ago. The neighbor's CB wasn't shielded properly and he had a huge antenna.

    Or how about the one where the baby monitor was picking up from NASA? Sometimes even picking up the video.

    Both of these can be found on the internet.

    link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 16 Nov 2017 @ 7:02pm

    Does anyone remember the "Talky Tina" twilight zone episode?

    I think at this point, it's due a technology-driven update.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Nov 2017 @ 8:32pm

    I expect that the major limiting factor in exploiting these poorly secured devices is a shortage of attackers, relative to the number of easy targets available. I'm not saying there aren't attackers, only that there aren't enough of them to make full use of the many many opportunities that IoT vendors have made available. Exploiting children's toys is a bit more interactive and less scriptable than the financial / identity fraud discussed in other stories.

    link to this | view in chronology ]

  • identicon
    Pixelation, 16 Nov 2017 @ 9:48pm

    Something useful

    Do you think we could get them to babysit while they're listening in?

    link to this | view in chronology ]

  • identicon
    Yes, I know I'm commenting anonymously, 17 Nov 2017 @ 3:56am

    Toy makers are still blinded by "data==$$"-think, for which they are obliged to abandon the reputation-economy.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Nov 2017 @ 3:08pm

    These toys take care of the children. Think of them. /s

    link to this | view in chronology ]

  • identicon
    Richard Stallman, 19 Nov 2017 @ 1:20pm

    The danger of access by unauthorized third parties is a real one, but
    I think the danger of access by the manufacturer (even though it
    "authorizes" itself to do this) is a much bigger one. If it follows
    the usual practices, it will use that data to recognize and profile
    people. Furthermore, the US government can take any and all of the
    data at any time through a "national security letter."

    Just because you and I are no longer children does not mean this isn't
    dangerous to us. I've decided not to accept any such "connected"
    devices -- no exceptions.

    Dr Richard Stallman
    President, Free Software Foundation (https://gnu.org, https://fsf.org)
    Internet Hall-of-Famer (https://internethalloffame.org)
    MacArthur Fellow

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.