Deral Heiland, IoT Research Lead, Rapid7 explains why we need to think seriously about the privacy and safety concerns that internet connected toys can pose.
The children’s commissioner for England called on internet giants and toy makers last year, to be more transparent about the data they are collecting on children, noting that children are now being “datafied” from birth.
While datafication or the digitisation of someone is inevitable in the era of the internet and social media, it also exposes that person to things like hacking and identity theft. With annual smart-toy sales worldwide expected to grow to $11.3bn by 2020, we need to think seriously about the privacy and safety concerns that internet connected toys can pose.
Also of interest: Hackers using credential-stuffing attacks to hijack Deliveroo accounts
Vulnerabilities in Toys
The nascency of the Internet of Things (IoT) is reflected in the vulnerabilities that have been found in connected devices on the market, and children’s toys are no exception.
Complaints have been filed with the Federal Trade Commission on several occasions asserting that the manufacturers collected, used and shared audio files of children’s voices without parental consent. These toys were subsequently banned in Germany, and removed from the shelves of prominent toy retailers.
We also saw malicious hackers take advantage of weaknesses in connected toys when the VTech breach led to the leak of personal data belonging to 6.4 million children and 4.8 million adults.
Security issues have even led Mattel to cancel a highly touted future product named the Aristotle AI assistant, scrapping production over privacy concerns.
Also of interest: Amazon & eBay stop selling CloudPets toys citing security concerns
What’s At Risk
The ability for an unauthorised person to gain even basic individual details about a child (e.g. their name, date of birth, gender) is a concern. While names and birthdays are often openly accessible, malicious hackers could theoretically amass enough information to establish a more complete profile of a child in order to facilitate any number of social engineering or other malicious campaigns.
With the right information, malicious hackers could create a phishing scheme aimed at financial fraud or identity theft later down the road.
In an effort to make everyone more secure, our research team spends time trying to uncover vulnerabilities in a variety of internet connected devices, including children’s toys. In 2016, we uncovered and disclosed flaws in the products of a prominent smart toy vendor.
In this case, we found that the platform’s Application Programming Interface (API) was not appropriately verifying the “sender” of messages, allowing would-be hackers to send requests that shouldn’t be authorised.
The potential impact of this included malicious hackers gaining access to children’s profiles and data such as their name, birth date, gender, language, and which toys they had played with. Hackers could also alter what toys a customer account was connected to, and hijack the devices’ built-in functionality.
Also of interest: Are we investing too much in cyber security?
What Should Consumers Do?
It can be difficult for parents to know what to do as more and more connected devices become available. Vetting technology often requires technical knowledge and an in-depth understanding of security vulnerabilities. But security should definitely be high on the agenda of things to research before making a purchase.
Consumers should also take time to customise the device at setup and create a unique, secure password. Looking into whether software updates are available for critical security patches is also advisable.
Toy manufacturers are not alone. The IoT industry has a long way to go in terms of device security. There are things that companies can do, like incorporating security checks very early on in the product development lifecycle.
It’s also important for these companies to leverage industry initiatives like BuildItSecure.ly and OTA’s IoT Trust Framework, to better the security devices before they enter consumer’s hands and homes. Consumers will become increasingly wise to product vulnerabilities and will trust vendors far more if they have a demonstrable interest in ensuring their devices are secure and respond quickly to any vulnerabilities found.