Thinking of buying an Internet-connected toy or device for your child this holiday? Do so with the understanding the data these Internet of Things (IoT) toys collect – your child’s location, words, images, video, etc. – could very well end up in the hands of hackers.
“Assume breach.” That’s the advice of a software security expert, who opts not to buy such devices for his own children and believes that there is an abundance of “connected toys out there with serious security vulnerabilities in the services that sit behind them.” (But more on this fellow in a moment.)
For the unfamiliar or non-technically minded, there are billions and billions of interconnected devices that constitute the Internet of Things. Think here about smart home devices like Amazon Echo or Google Home, Nest thermostats, refrigerators, home security systems, automobiles, smartwatches…. The number of IoT devices is growing at a staggering rate akin to a kind of digital Big Bang.
If you ask me, this is as bad as it can get.
The concern for security experts, is that these IoT devices also are making their way into the bedrooms and toy boxes of children, and even onto their wrists. Why the concern? Because in far too many cases there is little to no security present in these devices, nor the kinds of government protections most consumers have come to expect.
Translation: the safety of your children could be at risk if the data collected by these devices falls into the wrong hands. (Which helps explain why back in July, the FBI cautioned parents to think twice before buying IoT devices for their children.
Wrote the bureau: “These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities – including speech recognition and GPS options. These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.”
Not So Smart Teddy Bears, Watches, Barbies
Consider, for example, what software developer Roy Solberg discovered after affixing the Gator 2 smartwatch onto his daughter’s wrist: a complete absence of “any layer of security.” Meaning, any nefarious hacker could easily “track your kid and even start seeing patterns in when a child usually goes to school or after-school activities.”
Solberg wasn’t alone in his investigation into Gator Watch, which, ironically, is pitched in part as a convenient means through which parents can keep track of their kids. In a report on its investigation into the safety of four smartwatches sold to children (including Gator Watch), the Norwegian Consumer Council Union found security lapses in three of them.
The NCC’s conclusion: “Any consumer looking for ways to keep their children safe and secure might want to think twice before purchasing a smartwatch as long as the faults outlined in these reports have not been fixed.”
As Solberg pointed out in his investigation of the Gator Watch, its utter lack of security measures means it’s possible for someone to trick parents into thinking their child is safely situated at one location when, it fact, that child is being whisked somewhere else.
Concludes Solberg, who conducted extensive testing on the device: “If you ask me, this is as bad as it can get.”
Unfortunately, Gator Watch isn’t alone. In 2015, similar security issues were discovered in popular ‘smart’ Barbie dolls, enabling hackers to gain access to the dolls and spy on the children playing with them. By hacking into the doll’s microphone, a perpetrator could record everything the doll heard along with position location data.
And for two weeks beginning Christmas 2016, Spiral Toys, makers of CloudPets IoT teddy bears, left two million recordings between parents and their children (along with more than 800,000 user name/password combinations), completely unprotected.
Investigations into the breach demonstrated an unknown number of individuals accessed the information, some to ransom the maker. Which brings us back to our security expert, Troy Hunt, who specializes in security-related issues for Microsoft.
You must assume data like this will end up in other peoples’ hands.
In a blog post about the incident, Hunt wrote: “Cloudpets left their database exposed publicly to the web without so much as a password to protect it.” The post, which we strongly advice parents to read, dives deep into the issue and points out how difficult it can be even for experts like Hunt to get the makers of these devices to pay attention to the risks.
And what advice does Hunt, who has young children of his own, offer parents? “I don’t particularly want innocent childish behavior like playing with a toy to be recorded and stored on other people’s computers.” Hunt sees no reason for kids to own such devices.
And what of those parents who insist on buying IoT devices for their children? “Assume breach,” he says. “You must assume data like this will end up in other peoples’ hands. It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every single piece of data they hold on you and your family can be in the public domain in mere minutes.”