Security Smart Home

New Cases of Hackers Targeting Connected Toys Prove They Remain Unsafe

Christian Cawley 06-03-2017

This is turning into an annual topic: a few weeks post-Christmas, someone discovers that an “amazing” connected toy is actually a massive security and privacy risk, with the safety — and potentially, even the lives — of children put in jeopardy.


And still, no one seems to be proactive in accepting responsibility.

Do your children use online toys, which connect to your home wireless network? If so, what follows may be of considerable concern to you…

Germany Bans Talking Cayla Doll

In February 2017, German authorities decided to ban the sale of the popular talking doll, christened “Cayla”. There was even advice given to parents to destroy any toys they had, although a decision to enforce that action was not made.

The ban was inspired by a proof-of-concept demonstration of a vulnerability in the toy, which is available worldwide.

Cayla is a cute idea. Getting online via Bluetooth and a smart phone with internet access, the doll answers questions, using voice recognition and Google. According to Germany’s telecommunications watchdog, conversations between children and others in range of the doll can be recorded… or even forwarded elsewhere.


“A company could also use the toys to target the child or parents with advertising. Furthermore, if the radio link is not properly secured by the manufacturer, the toy can be used by nearby parties to eavesdrop on conversations.”

But what is the real problem here? Surely a toy providing answers is a great way for children to learn? Well, it’s the execution: the unsecured Bluetooth connection, basically. In short, it’s cost cutting — opting for a shortcut instead of making sure a potentially life changing toy is robust.

Do you or your children own a Cayla doll? We’d suggest destroying such a device is overkill. But if you’re concerned about its ability to retain details of privacy, we’d advise… switching it off. Because, obviously, anything that records voice and conversations is a risk, not just to children, but to the whole family.

Database Hack Leaks Recordings of Children

Did you buy a CloudPet for your offspring, or the descendants of a friend, last Christmas?

This is a toy that has been the center of a horrendous data leak, in which the voices of their owners (and friends and families) have been recorded, stored in an unsecured database and consequentially leaked online.


Just to clarify, that’s 2 million recordings that were hacked. Oh, and they were then held to ransom, all because CloudPets manufacturer Spiral Toys cut costs, time and effort and stored the data (we’ll overlook whether they should have been recording it for now) in a MongoDB database.

(The problem with MongoDB is that it isn’t by default secure. Extra steps need to be taken to secure data stored in this way.)

But it gets worse. Security researcher Troy Hunt has attempted to contact CloudPets on several occasions to highlight the hack, as well as the lack of security within the toys themselves (three character, unhashed passwords; test, staging and production data and websites all stored on the same server.)

The whole sorry story includes a demand of Bitcoin to return the data, a company refusing to communicate with any enquiries from researchers and the press, and a bunch of parents left unaware that their child’s favorite toy is an online security risk. At the time of writing, CloudPets and Spiral Toys have not advised parents of any problems.


Whether you think the data being recorded and subsequently leaked is a problem or not, a company that refuses to engage with anyone over issues like this is not one that you whose products you should be using.

We’ve Seen It All Before

The problem with all of this is that, sadly, nothing is new. Like the fledgling smart home industry 5 Security Concerns to Consider When Creating Your Smart Home Many people attempt to connect as many aspects of their lives to the web as possible, but many people have expressed genuine concerns over how secure these automated living spaces actually are. Read More — which connected toys are an extension of, admittedly — products appear to have been thrown together, with little consideration for concepts such as security and privacy.

No, here the only concepts of interest to the designers is profit, and low manufacturing costs.

Back in 2015, we saw how wireless quadcopter drones could be hacked Quadcopter Malware Proves Connected Toys Are A Security Risk We've recently learned that malware has been introduced to a quadcopter toy, a revelation that has left security-conscious parents concerned. Read More with a piece of relatively straightforward software.


Wind forward a year, and it became apparent that not only had child electronics giant VTech been hacked (with the loss of 6 million accounts of child data VTech Gets Hacked, Apple Hates Headphone Jacks... [Tech News Digest] Hackers expose VTech users, Apple considers removing the headphone jack, Christmas lights can slow down your Wi-Fi, Snapchat gets into bed with (RED), and remembering The Star Wars Holiday Special. Read More ), but they were also putting the onus for privacy and security onto their consumers VTech: Playing Loose With Your Children's Data Hong Kong-based VTech updated terms and conditions following a large security breach in 2015, blatantly shifting the onus of responsibility onto parents and carers without a second thought. Read More .

On each of these occasions, we’ve highlighted ways in which you can ensure your data — and that of your children — remains secure Five Ways To Ensure Your Personal Data Remains Secure Your data is you. Whether it is a collection of photographs you took, images you developed, reports you wrote, stories you thought up or music you collected or composed, it tells a story. Protect it. Read More . We’ve also suggested you demand more from smart toy manufacturers. Put simply, if a connected toy does not meet basic security and privacy requirements (secure data transfer, password protection) and its manufacturers cannot offer secure storage of any data collected, then you need to forget about that particular toy, and move onto the next.

It’s Getting Better

Fortunately, things are changing, just as they are in the mainstream smart home market. Manufacturers are recognizing the need for security and privacy, and releasing new, more robust devices. But keep an eye out for the cheaper gear, that features older hardware and firmware. This is where the problems will persist in the coming years, as manufacturers attempt to sell off older, less secure stock for a fraction of the price.

Do you have a connected toy that you’re concerned about? Perhaps you feel that there is no risk? Tell us your thoughts below.

Image Credit: Sergey Chmel via

Explore more about: Online Privacy, Online Security, Surveillance, Toys.

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *