IC University Blog

Playing with Danger: The Security Concerns of Smart Toys

Posted by Julia Curtis on Dec 17, 2020 3:27:55 PM

Our data is collected daily. With security breaches as a common threat, it is important to take precautions in order to keep our data safe, but what about our children’s data? We commonly think of data collection as something that only happens on screened devices while interacting with websites. Your child might not have perused Black Friday sales online, but is there something else that may be collecting their data?

Smart toys are marketed as adding value to playtime via customized interactions, learning abilities, and attention grabbing features. Unfortunately, just like our favorite gadgets, smart toys can find themselves vulnerable to hacking. However, unlike your favorite tech companies, many toy companies do not deploy the same amount of resources toward security. Your child’s toy may very well be the most vulnerable device in your home. This is concerning because depending on a toy’s features, a hacker could gather audio and visual recordings, passwords, addresses, phone numbers, names, GPS locations or even gain access to other home devices. The data gathered can then be used to steal parent and children identities, break into homes, eliminate privacy, and identify when and where a child will be at a specific location. Privacy and security risks are not limited to the home either. With so many working remote this year, compromised toys and other smart devices may now share the same Wi-Fi network as work computers leading to increased risks for company security.

Smart toy vulnerability is not new. Since their introduction to the market many toys have been found to include security flaws. Here are just a few:

My Friend Cayla:
Cayla used the internet to respond to voice commands and questions. However, no authentication was required in order to connect to the doll’s Bluetooth device. Due to its unsecured nature, hackers could use Cayla to listen and even speak directly with children. The security flaws and data collection practices lead to Germany’s Federal Network Agency labeling Cayla “an illegal espionage apparatus” in 2017. The National Cyber Security Centre in the UK warned of vulnerabilities as well. These weaknesses could be utilized to undermine otherwise secure technology in homes. They demonstrated a scenario where an attacker was able to connect to Cayla’s unsecure Bluetooth and have her perform voice commands to unlock an otherwise secure front door.

Fisher-Price Smart Toy Bear:
This toy included a microphone, camera, speaker, pressure plate, and accelerometer. A security flaw allowed attackers to gain operation of the bear’s features. By exploiting this flaw, attackers could record video without any visual indicators to children or their families.

Apps on Tablets such as Fire HD Kids Edition:
Software on this tablet allows parents to monitor and limit what kids are able to do on the device. Amazon only shares the data it stores with parents, however third party apps can collect children’s data if parents allow them to be downloaded onto the device.

Q50 watch
This watch allows parents to send messages to children, receive alerts, and track a child’s location. Due to a security flaws hackers could listen to children’s surroundings, intercept all communication, identify a child’s location, and spoof the location of a child.

Despite numerous security issues, the smart toy industry is expected to continue to grow. By 2025 the smart toy market is expected to reach $24.65 billion. Smart toys are not disappearing, so what can you do to keep your child’s data safe?

  • Research any smart toys you are considering and their manufacturers for security issues.
  • Read privacy policies and disclosures closely. If the policies and disclosures are not up to par consider alternative toys. (Information to look for includes where data is stored, who has access to the data, if the data can be deleted, if the company will inform you of discovered vulnerabilities, cyber-attacks, or changes in disclosures/policies, and company contact information.)
  • Ensure the toy utilizes strong authentication and data encryption, only connect toys to trusted and secure Wi-Fi, and always practice good password habits.
  • Keep all smart toys updated with the most recent manufacturer patches and consider additional firmware options when available.
  • Provide the minimum amount of information required in regards to your child’s identity
  • Monitor interactions with your child and turn the toy off when not in use.

References:

BBC News (2017, February 14). How Hackers Could Use Doll to Open Your Front Door. Retrieved December 17, 2020, from https://www.bbc.com/news/av/technology-38966285

Frenkel, S. (2017, December 21). A Cute Toy Just Brought a Hacker Into Your Home. Retrieved December 01, 2020, from https://www.nytimes.com/2017/12/21/technology/connected-toys-hacking.html

Gogan, M. (2018, February 12). How to Prevent Attacks on These 7 Most Vulnerable Connected Toys. Retrieved December 01, 2020, from https://techspective.net/2018/02/12/prevent-attacks-7-vulnerable-connected-toys/

Hetrick, C. (2018, December 06). Beware the holiday 'smart toys' that spy on your kids. Retrieved December 01, 2020, from https://www.inquirer.com/news/smart-toy-spy-hack-cayla-bear-amazon-fire-20181204.html

Hexa Research (2019, March 12). Smart Toys Market Size Worth USD 24.65 Billion by 2025: Hexa Research. Retrieved December 01, 2020, from https://www.prnewswire.com/news-releases/smart-toys-market-size-worth-usd-24-65-billion-by-2025-hexa-research-300810651.html

Miranda, C. (2018, December 06). Buying an internet-connected smart toy? Read this. Retrieved December 01, 2020, from https://www.consumer.ftc.gov/blog/2018/12/buying-internet-connected-smart-toy-read

Topics: Security, Internet of Things, Smart Toys, IOT