With the growing popularity of the Internet of Things, connected toys are becoming especially loved by children. However, IoT toys still have many vulnerabilities that make them easy targets for cyber attackers. This article provides an overview of connected toy vulnerabilities and contains recommendations for developers on how to ensure that internet-connected toys are protected against cyber attacks.
Internet of Things(IoT) toys are children’s toys that are embedded with special sensors and firmware for providing personalized interactions with kids. Unlike ordinary toys, IoT toys can collect, use, and share information via the internet. Therefore, these toys are also called internet-connected toys or simply connected toys. IoT toys are sometimes smart, depending on their purpose, but even if they’re not, they’re always connected to an online server or platform.
Connected toys are designed for a child’s entertainment, development, and education. There are a wide variety of toys like this on the market, from dolls to robots to paintball helmets and many others. According to a white paper titled Kids and the Connected Home issued by the Family Online Safety Institute, the IoT toys market offers products that can be divided into four categories:
- Learning development toys are designed for developing cognitive and behavioral skills in children (Grush, a smart toothbrush; Wiggy, a piggy bank; Jerry the Bear, a toy for kids with diabetes).
- Toys to life include characters from cartoons and video games (Mattel’s Hello Barbie, Furby Connect)
- Robotics, or remotely controllable toys, include a handheld controller or can be controlled via spoken commands (Sphero Star Wars BB-8, CHIP, Cozmo)
- Wearables include accessories with embedded sensors like helmets, bracelets, armbands and so on (Pokémon GO Plus bracelet; Playmation, a set of smart accessories; Kidizoom Smartwatch DX)
All of these IoT toys connect to the internet either directly or indirectly:
- Wi-Fi is used for direct connections to wireless access points.
- Bluetooth is used for indirect connections by connecting at toy to an Android or iOS device that has access to the internet.
While an internet connection brings toys many capabilities to interact with children, this key feature of IoT toys also raises many privacy and security concerns. Moreover, a toy’s connection to cloud servers appears to be an easy target for cyber attackers.
While toys have always been an essential part of childhood, the first IoT toys like Hello Barbie and CogniToys Dino have significantly broadened our view of how interactive a child’s experience with toys can be. Connected toys can recognize speech and hold a conversation; they even can take a photo or determine a kid’s location. Currently, there are millions of parents who buy IoT toys without any idea that they could be a serious threat to their children.
There are many concerns regarding the privacy and security of IoT toys, as many toymakers haven’t paid enough attention to this when designing them.
Some fears relate to the security of transmitting sensitive data about users to cloud servers. Other concerns relate to the proper storage and use of private information, which can potentially be shared with third parties and used in an unethical way. Moreover, cloud servers and online platforms can also come under attack, so there’s a risk that a user’s credentials, a child’s identity, and other personal information may also be compromised.
Without proper security and privacy, cyber attackers can take control of a connected toy, turn it into a listening device, and communicate directly with a child. Criminals can potentially monitor a child’s location via a connected toy with the purpose of socializing, kidnapping, or even attacking them. Hackers can also discreetly take explicit photos of a child or blackmail parents with recordings of their child’s voice.
Let’s look closer at why IoT toys can become a new vector for cyber attacks and how to avoid this.
Smart toys that are connected to the internet can simulate intelligence by adapting to a user’s conversations, appearance, and actions thanks to various cameras and sensors. Of course, the main feature of any IoT toy is the physical toy itself, which is often in the form of a plush animal or a popular character.
The basic technology that allows toys to connect to the internet and interact with children usually includes the following:
- Speakers that allow toys to play sounds and talk to kids
- Microphones that allow toys to register children’s replies
- Recording devices that store what kids say
- Wireless transmitters and receivers, which are necessary for remote control
- Wi-Fi or Bluetooth modules to let toys transfer data to a cloud server or online platform
- Rechargeable batteries
Additionally, depending on their purpose, kid-friendly devices can also have the following electronic components:
- Cameras or optics that let toys take photos and recognize their owners
- Speech recognition capability that allows toys to understand a child’s speech
- Acoustic sensors, motion activators, or other sensors
- GPS capability that allows a smart wearable toy to monitor a child’s location
- Memory to store recordings
In the event of cyber attacks, information collected by these sensors can be compromised by hackers. So how much does a connected toy know about a child and their parents?
To function properly, connected toys need to collect the following information:
- Data about an internet connection (IP address, login credentials)
- Personal information about a child for registration (full name, gender, date of birth, etc.)
- Data provided during communication with a child (voice recordings, photos, videos, voice and text messages, etc.)
- Data about parents (phone number, location, credit card information, etc.)
However, this data can be easily compromised if it isn’t properly protected in transit or while on servers. Moreover, kids can become vulnerable to inappropriate communications with hackers or even to identity fraud.
The main vulnerabilities of connected toys usually lie in the following:
- Insecure communications
- Hardware and firmware flaws
- Software weaknesses
- Weak authentication or its absence altogether
- Insecure internet connections
- Improper protection of collected data
Here are examples of the most famous IoT toy attacks to date:
- In 2015, VTech, a Hong Kong-based digital toymaker, revealed that its database had been hacked by attackers who compromised the sensitive data of nearly 11 million accounts, including the accounts of 6.37 million children. Attackers got access to users’ credentials, letting them access profile information and sensitive data about kids such as name, gender, date of birth, and parents’ addresses. This data breach was the first cyber attack that affected children.
- Also in 2015, the first IoT toy, Mattel’s Hello Barbie, was found to have several flaws. The doll application for Android and iOS had vulnerabilities that allowed hackers to perform a man-in-the-middle attack. The doll transmitted voice recordings to servers for processing via Wi-Fi. However, the toy used an easily hackable ID that could be used to intercept data transferred between the doll and a server. Besides, the app was configured to automatically connect to any Wi-Fi network that included “Barbie” in its name. In addition, the server that processed information collected by the doll was vulnerable to the computer bug called Poodle.
- In February 2017, Germany banned an IoT toy called My Friend Cayla that contained vulnerabilities that could be exploited to record communications between kids and the doll. Cayla was a doll that could interact with kids and answer their questions. However, it turned out that the toy had an insecure Bluetooth device for connecting to the internet via a nearby mobile phone with an installed application. Thus, anyone who was in the vicinity of the doll could potentially connect to it and interact with a child. This technology was considered easily exploitable by criminals who attack children.
- February 2017 also saw the breach of a database owned by CloudPets, a plush animals brand owned by Spiral Toys. Troy Hunt, a cyberattack researcher, discovered an open database that contained links to more than 2 million voice messages recorded by these connected toys from nearly 800,000 customers. Though the toymaker at first denied that they stored unprotected client information on the web, Spiral Toys later advised users to change their passwords to more secure ones.
- In November 2017, the consumer magazine Which? published their research on the security of connected toys. The results revealed serious vulnerabilities in four of seven tested IoT toys. Particularly, researchers found insecure Bluetooth connections in the Furby Connect, CloudPets, Toy-Fi Teddy, and i-Que Intelligent Robot. Exploiting these weaknesses, Which? was able to connect to toys, play audio files, and communicate with children.
Recent cyber attacks on connected toys have revealed how little thought was put into the security of these IoT toys and their mobile applications when they were designed. It even seems that some security issues were known but never brought up before a connected toy was launched and hacked. However, considering the possible consequences of hacked toys and the increasing competition on the IoT toy market, the security of connected toys should have the utmost priority during development. Here are some recommendations on how to protect IoT toys from hackers based on best practices.
- Comply with regulations
- For connected toys distributed in the United States, manufacturers must comply with the Children’s Online Privacy Protection Act (COPPA) issued by the Federal Trade Commission (FTC). This regulation applies to internet-connected devices, which include IoT toys. This act requires companies to protect children’s personal information, obtain parental permission for collecting sensitive data, and implement other privacy requirements.
- Follow FTC recommendations regarding security of Internet of Things devices when designing a secure connected toy.
- Inform users about what information is collected, why it is collected, and where it is stored.
- Mention whether you will share collected information with third parties and get a parent’s consent to do so.
- Reduce the risk of accidental data sharing by deleting recordings both from the app and from the server after a certain time (five days or a week, for instance).
- Include privacy information on the toy packaging itself, in the manual, and in the app.
- Introduce security measures to connected toy hardware
- Since there’s a risk of an IoT toy being stolen, make sure that your product is tamper-proof and difficult to open.
- Reduce the number of ports and reduce debugging options.
- Add LED indicators that inform a user when a toy activates its recording features.
- Use hardware components only from trusted suppliers.
- Take firmware security into account at the early stages of development
- Make sure that firmware is automatically updated via secure over-the-air processes or establish digitally signed updates.
- Implement privacy settings so parents can limit what data is collected, stored, and transmitted to the cloud or to third parties.
- Make the connected toy app requests authentication before every financial transaction.
- Make sure the mobile app also sends alert notifications in case of suspicious activity.
- Budget for several firmware updates and security patches during the toy life cycle, as vulnerabilities usually appear over the time.
- Ensure the security of the toy’s connection to mobile devices and the internet
- Use strong authentication for pairing the toy with Bluetooth. To achieve this, you can use a unique default password for each product, implement two-factor authentication, and even use the biometric fingerprint scanner on a mobile device. In addition, limit the toy’s connection to one mobile device at a time.
- Use encryption to protect data when it’s collected, stored, and transmitted from the toy to the Wi-Fi access point and to the cloud server or third parties. Secure communication with strong encryption standards like HTTPS and TLS. You can also add random data or so-called salt to make it harder for attackers to compromise your product.
- Limit the networking capabilities of your IoT toy to only those that are necessary for its operation. This will eliminate the risk of your connected product being used in DDOS attacks.
- Ensure secure access to the cloud server with physical and administrative limitations, such as blocking unauthenticated firmware updates or creating a whitelist of IP addresses.
- Use penetration testing to search for vulnerabilities. Don’t try to fix every single vulnerability; instead, break them up into several categories based on severity. Focus on the critical ones first and then on those that have high risk and can be fixed quickly.
We’ve underlined the importance of IoT toy security and provided recommendations for developers of IoT toys on how to protect their products against cyber attacks. At Apriorit, we have a dedicated team of professionals who have experience developing Linux-based software, which is what’s mainly used in IoT devices. Apriorit also provides expert services in mobile development and cybersecurity. If you’re working on a connected toy, we can help you develop secure and reliable software for it. Feel free to contact us.