New Study Finds Poorly Secured Smart Toys Lets Attackers Listen In On Your Kids

from the barbie-needs-a-better-firewall dept

We've long noted how the painful lack of security and privacy standards in the internet of (broken) things is also very well-represented in the world of connected toys. Like IOT vendors, toymakers were so eager to make money, they left even basic privacy and security standards stranded in the rear view mirror as they rush to connect everything to the internet. As a result, we've seen repeated instances where your kids' conversations and interests are being hoovered up without consent, with the data frequently left unencrypted and openly accessible in the cloud.

With Luddites everywhere failing to realize that modern Barbie needs a better firewall, this is increasingly becoming a bigger problem. The latest case in point: new research by Which? and the German consumer group Stiftung Warentest found yet more flaws in Bluetooth and wifi-enabled toys that allow a total stranger to listen in on or chat up your toddler:

"The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets. With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access. Little technical knowhow was needed to hack into the toys to start sharing messages with a child.

Again, the problem isn't just bad security, it's the total lack of security:

"With the i-Que Intelligent Robot, available from Argos and Hamleys, the investigation discovered that anyone could download the app, find an i-Que within their Bluetooth range and start using the robot’s voice by typing into a text field. The toy is made by Genesis, which also manufactures the My Friend Cayla doll, recently banned in Germany owing to security and hacking concerns. Both toys are distributed in the UK by Vivid."

Genesis was already facing a lawsuit here in the States accusing it of violating COPPA (the Childrens’ Online Privacy Protection Act of 1998) by failing to adequately inform parents' that their kids conversations and personal data collected by the toys are being shipped off to servers and third-party companies. Said lawsuit also points out how the privacy policies governing the collection of kids' data aren't clear, aren't prominently displayed, and often change without notice. Overseas the reaction has been notably more hysterical, with German regulators urging parents to destroy these not-so-smart dolls or pay massive fines.

As is usually the case, the companies responsible for this total privacy and security failure like to portray these flaws as limited in scope and unlikely to be exploited:

"The British Toy and Hobby Association, of which Vivid and Hasbro are members, said: “The industry takes its responsibilities incredibly seriously when making products for children, with BTHA members investing heavily in everything from toy safety to data privacy and online security. "We are aware of the Which? report, but understand the circumstances in which these investigations have taken place rely on a perfect set of circumstances and manipulation of the toys and the software that make the outcome highly unlikely in reality."

Again though, this is often not just vulnerabilities we're talking about, but no security or privacy standards whatsoever. The idea that this isn't being exploited, however infrequent, seems unlikely -- especially as the media highlights more and more similar flaws. And again, with the internet of broken things introducing millions of new attack vectors into homes and businesses worldwide every day, the impact from this sort of privacy and security apathy will be cumulative.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: iot, kids, privacy, smart toys, surveillance