This is turning into an annual topic: a few weeks post-Christmas, someone discovers that an “amazing” connected toy is actually a massive security and privacy risk, with the safety — and potentially, even the lives — of children put in jeopardy.
And still, no one seems to be proactive in accepting responsibility.
Do your children use online toys, which connect to your home wireless network? If so, what follows may be of considerable concern to you…
Germany Bans Talking Cayla Doll
In February 2017, German authorities decided to ban the sale of the popular talking doll, christened “Cayla”. There was even advice given to parents to destroy any toys they had, although a decision to enforce that action was not made.
The ban was inspired by a proof-of-concept demonstration of a vulnerability in the toy, which is available worldwide.
Cayla is a cute idea. Getting online via Bluetooth and a smart phone with internet access, the doll answers questions, using voice recognition and Google. According to Germany’s telecommunications watchdog, conversations between children and others in range of the doll can be recorded… or even forwarded elsewhere.
“A company could also use the toys to target the child or parents with advertising. Furthermore, if the radio link is not properly secured by the manufacturer, the toy can be used by nearby parties to eavesdrop on conversations.”
But what is the real problem here? Surely a toy providing answers is a great way for children to learn? Well, it’s the execution: the unsecured Bluetooth connection, basically. In short, it’s cost cutting — opting for a shortcut instead of making sure a potentially life changing toy is robust.
Do you or your children own a Cayla doll? We’d suggest destroying such a device is overkill. But if you’re concerned about its ability to retain details of privacy, we’d advise… switching it off. Because, obviously, anything that records voice and conversations is a risk, not just to children, but to the whole family.
Database Hack Leaks Recordings of Children
Did you buy a CloudPet for your offspring, or the descendants of a friend, last Christmas?
This is a toy that has been the center of a horrendous data leak, in which the voices of their owners (and friends and families) have been recorded, stored in an unsecured database and consequentially leaked online.
Just to clarify, that’s 2 million recordings that were hacked. Oh, and they were then held to ransom, all because CloudPets manufacturer Spiral Toys cut costs, time and effort and stored the data (we’ll overlook whether they should have been recording it for now) in a MongoDB database.
(The problem with MongoDB is that it isn’t by default secure. Extra steps need to be taken to secure data stored in this way.)
But it gets worse. Security researcher Troy Hunt has attempted to contact CloudPets on several occasions to highlight the hack, as well as the lack of security within the toys themselves (three character, unhashed passwords; test, staging and production data and websites all stored on the same server.)
The whole sorry story includes a demand of Bitcoin to return the data, a company refusing to communicate with any enquiries from researchers and the press, and a bunch of parents left unaware that their child’s favorite toy is an online security risk. At the time of writing, CloudPets and Spiral Toys have not advised parents of any problems.
Whether you think the data being recorded and subsequently leaked is a problem or not, a company that refuses to engage with anyone over issues like this is not one that you whose products you should be using.
We’ve Seen It All Before
The problem with all of this is that, sadly, nothing is new. Like the fledgling smart home industry — which connected toys are an extension of, admittedly — products appear to have been thrown together, with little consideration for concepts such as security and privacy.
No, here the only concepts of interest to the designers is profit, and low manufacturing costs.
Back in 2015, we saw how wireless quadcopter drones could be hacked with a piece of relatively straightforward software.
Wind forward a year, and it became apparent that not only had child electronics giant VTech been hacked (with the loss of 6 million accounts of child data), but they were also putting the onus for privacy and security onto their consumers.
On each of these occasions, we’ve highlighted ways in which you can ensure your data — and that of your children — remains secure. We’ve also suggested you demand more from smart toy manufacturers. Put simply, if a connected toy does not meet basic security and privacy requirements (secure data transfer, password protection) and its manufacturers cannot offer secure storage of any data collected, then you need to forget about that particular toy, and move onto the next.
It’s Getting Better
Fortunately, things are changing, just as they are in the mainstream smart home market. Manufacturers are recognizing the need for security and privacy, and releasing new, more robust devices. But keep an eye out for the cheaper gear, that features older hardware and firmware. This is where the problems will persist in the coming years, as manufacturers attempt to sell off older, less secure stock for a fraction of the price.
Do you have a connected toy that you’re concerned about? Perhaps you feel that there is no risk? Tell us your thoughts below.
Image Credit: Sergey Chmel via Shutterstock.com