Quadcopter Malware Proves Connected Toys Are A Security Risk

Christian Cawley 17-02-2015

Like a subgroup of the Internet of Things What Is the Internet of Things? What is the Internet of Things? Here's everything you need to know about it, why it's so exciting, and some of the risks. Read More , connected toys are the new generation of children’s toys – often using Wi-Fi and an iOS or Android-based remote control to manage and manipulate a car, quadcopter, or Lego robot.


We’ve recently learned that malware has been introduced to a quadcopter toy, a revelation that has left security-conscious parents concerned. If it can happen with one toy, what’s to say it couldn’t happen with another?

And if this was to be repeated with one or more toys, what might the results be?

The Quadcopter Malware Threat

Consider: drone use is increasing militarily, commercially (think Amazon Delivery Drones) and recreationally. The threat of a backdoor, where malicious code can be uploaded and the device compromised, is extremely worrying whether you’re thinking of a child’s toy or a device capable of deploying missiles.

Rahul Sasi has created a demonstration of his drone malware, Maldrone, a proof-of-concept that highlights just how poor security in this area actually is.

See the video below, in which Rahul disables the drone in mid-flight.


While the attack in this example only disables the quadcopter, this is just the tip of the iceberg.  If other devices were to feature cameras and GPS support, the potential for a privacy-related misuse could be considerable.

All of this comes, incidentally, in the same week that we learned that an off-duty government employee lost control of his UAV during recreational use, causing the camera-less device to crash into the grounds of the White House Facebook Goes Down for an Hour, As Drone Crashes into White House [Tech News Digest] Facebook suffers outage, drone crashes into White House, Microsoft announces financials, Nest replaces Dropcams, Funny or Die thinks weather is funny, and the BMW ad celebrating ignorance. Read More .

Now that it is clear that quadcopters can be hacked, attention must turn to other connected toys. Like the wider Internet of Things – already a security nightmare Why The Internet of Things Is The Biggest Security Nightmare One day, you arrive home from work to discover that your cloud-enabled home security system has been breached. How could this happen? With Internet of Things (IoT), you could find out the hard way. Read More  – kid’s toys are now a potential security risk.

More Toys That Might Represent An Attack Vector For Hackers

Quadcopters are proving very popular at present, both among the older geek market and kids that love RC toys. The idea that such toys, and their relevant apps, might present a security risk is a surprise, but one that we must take seriously.


What other toys might be at risk from hackers, and how might these devices be misused? I’ve taken a look at some that might represent an opportunity for malware developers. Note that none of these devices is actually known to be hacked.

Lego Mindstorms EV3

Lego’s popular Mindstorms kits are for young (and, um, not so young!) robotics enthusiasts, and come complete with a programmable computer “brain” and various sensors, such as infrared and touch, and motors. The most recent range, EV3, features a USB host port, WiFi connectivity and support for Apple device connectivity and microSDHC slot How To Choose The Right SD Card For The Job SD cards aren't all about storage! In fact, there are several other factors to consider, and when purchasing your cards, you should make yourself aware of them. That said, SD cards aren't all created equal,... Read More ; this is in addition to the Bluetooth support of previous ranges.

Malware developed to hack these kits might do more than simply take control over the direction of the device. There is potential to gather data from the sensors included.

Ollie & Sphero

This is technically two toys, but the risks are identical. Controlled via an Android or iOS app, Ollie and Sphero are futuristic remote controlled cars, but without the car. Ollie is a ruggedized, all-terrain barrel, while Sphero is, as you might have guessed, a ball.


The risk here exists via the mobile apps. If a vulnerability in the API can be uncovered, these devices might be hijacked. While there is little risk here other than mischief making, it remains a concerning proposition.

LeapPad Tablets

Perhaps the most obvious connected toy security risk is with kids tablets, and it is the LeapPad range that prove particularly popular. These are wireless-enabled tablets, educational tools for children.

Fortunately, these devices have been tested by the developers and feature a kid-safe web browser. However, the connected nature of the devices means that they represent an opportunity for toy based malware developers.

Toy Manufacturers and Parents Need to be Aware of the Risks

Thanks to Rahul Sasi, the security risks inherent with these recreational drones are becoming clearer; risks that might also exist with other connected toys. While the video above demonstrates the Maldrone software with a laptop, there is no reason why a mobile app – such as those required for the Ollie and Sphero vehicles – might not be used, making the hijacking of such a toy not only quicker, but also invisible.


Has the arrival of quadcopter malware opened your eyes to the possibilities of a toy going rogue? Are you a concerned parent, or do you keep your young ones away from connected toys? Let us know in the comments.

Image Credits: Programmer on a computer Via Shutterstock

Related topics: Drone Technology, Internet of Things, Parenting and Technology, Toys.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. dragonmouth
    February 18, 2015 at 1:51 pm

    "a revelation that has left security-conscious parents concerned"
    They can't be too security-conscious or too computer-literate or too concerned if they do not recognize the fact that any device that is WiFi-enabled can be used as an "attack vector for hackers."

    "Has the arrival of quadcopter malware opened your eyes to the possibilities of a toy going rogue?"
    Will the arrival of quadcopter malware opened anybody's eyes to the possibilities of a driverless car going or being taken rogue?

    • Christian Cawley
      February 20, 2015 at 4:22 pm

      Unfortunately, DM, I find most parents aren't even security-unconscious... it's like there's a gap, but they don't know it's there.

      With regards to driverless/smart cars, there is an article in development :)