Like a subgroup of the Internet of Things, connected toys are the new generation of children’s toys – often using Wi-Fi and an iOS or Android-based remote control to manage and manipulate a car, quadcopter, or Lego robot.
We’ve recently learned that malware has been introduced to a quadcopter toy, a revelation that has left security-conscious parents concerned. If it can happen with one toy, what’s to say it couldn’t happen with another?
And if this was to be repeated with one or more toys, what might the results be?
The Quadcopter Malware Threat
Consider: drone use is increasing militarily, commercially (think Amazon Delivery Drones) and recreationally. The threat of a backdoor, where malicious code can be uploaded and the device compromised, is extremely worrying whether you’re thinking of a child’s toy or a device capable of deploying missiles.
Rahul Sasi has created a demonstration of his drone malware, Maldrone, a proof-of-concept that highlights just how poor security in this area actually is.
See the video below, in which Rahul disables the drone in mid-flight.
While the attack in this example only disables the quadcopter, this is just the tip of the iceberg. If other devices were to feature cameras and GPS support, the potential for a privacy-related misuse could be considerable.
All of this comes, incidentally, in the same week that we learned that an off-duty government employee lost control of his UAV during recreational use, causing the camera-less device to crash into the grounds of the White House.
Now that it is clear that quadcopters can be hacked, attention must turn to other connected toys. Like the wider Internet of Things – already a security nightmare – kid’s toys are now a potential security risk.
More Toys That Might Represent An Attack Vector For Hackers
Quadcopters are proving very popular at present, both among the older geek market and kids that love RC toys. The idea that such toys, and their relevant apps, might present a security risk is a surprise, but one that we must take seriously.
What other toys might be at risk from hackers, and how might these devices be misused? I’ve taken a look at some that might represent an opportunity for malware developers. Note that none of these devices is actually known to be hacked.
Lego Mindstorms EV3
Lego’s popular Mindstorms kits are for young (and, um, not so young!) robotics enthusiasts, and come complete with a programmable computer “brain” and various sensors, such as infrared and touch, and motors. The most recent range, EV3, features a USB host port, WiFi connectivity and support for Apple device connectivity and microSDHC slot; this is in addition to the Bluetooth support of previous ranges.
Malware developed to hack these kits might do more than simply take control over the direction of the device. There is potential to gather data from the sensors included.
Ollie & Sphero
This is technically two toys, but the risks are identical. Controlled via an Android or iOS app, Ollie and Sphero are futuristic remote controlled cars, but without the car. Ollie is a ruggedized, all-terrain barrel, while Sphero is, as you might have guessed, a ball.
The risk here exists via the mobile apps. If a vulnerability in the API can be uncovered, these devices might be hijacked. While there is little risk here other than mischief making, it remains a concerning proposition.
Perhaps the most obvious connected toy security risk is with kids tablets, and it is the LeapPad range that prove particularly popular. These are wireless-enabled tablets, educational tools for children.
Fortunately, these devices have been tested by the developers and feature a kid-safe web browser. However, the connected nature of the devices means that they represent an opportunity for toy based malware developers.
Toy Manufacturers and Parents Need to be Aware of the Risks
Thanks to Rahul Sasi, the security risks inherent with these recreational drones are becoming clearer; risks that might also exist with other connected toys. While the video above demonstrates the Maldrone software with a laptop, there is no reason why a mobile app – such as those required for the Ollie and Sphero vehicles – might not be used, making the hijacking of such a toy not only quicker, but also invisible.
Has the arrival of quadcopter malware opened your eyes to the possibilities of a toy going rogue? Are you a concerned parent, or do you keep your young ones away from connected toys? Let us know in the comments.
Image Credits: Programmer on a computer Via Shutterstock