Connected Toys: What Are the Security & Privacy Risks?
(written with Eliyah Havemann)
As we approach the end of the year and enter the season of holiday gifting, it’s an excellent time to weigh-in on “high tech” connected toys and the joy, concern, and horror they may bring.
In the last few years, “smart” or “connected” toys have exploded onto the scene, creating a market that is estimated to be worth $18 billion by 2023.
Headlines about security breaches and creepy toys feed valid concerns. Most of us have heard the stories about toys that have failed to protect kids’ information or actively spied on them. However, most families have neither the time nor the skills to deal with security.
Fortunately, it’s not all doom and gloom. Among the amazing tech toys and platforms currently available, there are some bright spots.
Safe connected toys
The best toys adhere to fundamental security principles, such as password-protected access, as well as protect private information.
One of the best rated connected toys (if it’s okay to call it that) is the Nintendo Switch.
The Nintendo Switch is a portable video game console that supports online gaming through internet connectivity, as well as local wireless ad hoc connectivity with other Switch consoles. As of September 2019, more than 41 million Nintendo Switch units were sold worldwide.
According to the Mozilla Foundation in their *Privacy Not Included report, “Nintendo does a good job with privacy, security, and parental controls.”
All of this is good news for parents that want to give their kids access to Super Mario, the Legend of Zelda, and other games.
What are they doing right?
Although the Nintendo Switch may be judged as “good” and doesn’t appear to pose any significant security or privacy risks, streaming media and online games played on the platform may have the potential to create network congestion and degrade performance across the home network. (link to appropriate post)
However, with the right solution in place and implemented at the network level, this type of congestion is easily remedied.
Still, it’s important to keep in mind, especially for younger kids, that these connected platforms, even though they may be fun, they are not necessarily friendly. Other platforms and connected toys are downright bad.
So, which connected toys pose a problem? Well…
Connected toys with security risks
Unlike the Nintendo Switch, there are many toys that don’t meet minimum security standards. We gathered a few of them here, to illustrate the point.
LEGO Star Wars Boost Droid Commander
This interactive, 1177-piece robot toy kit is designed to let kids build 3 app-controlled Star Wars LEGO droids (R2-D2, a Gonk Droid, and a Mouse Droid). It includes a color & distance sensor, and an interactive motor.
These robots are controlled by an app that connects via Bluetooth to a phone or tablet. According to the Mozilla Foundation, “We weren’t able to determine if this product uses encryption, which is a flag.” Other basic security factors related to password strength and secure authentication were unknown.
Fortunately, with the cooperation and some intelligence, most security issues like these can be patched quite easily.
However, ironically, what’s most concerning, in general, isn’t necessarily related to security.
The truly horrific issue is about the data that some connected toys are gathering, and where that data may be going.
One of the “best” examples of a connected toy gone wrong is CloudPets. Although it’s been a couple of years since these toys were pulled from shelves, this story bears mentioning, at least as a cautionary tale.
CloudPets is an Internet-connected soft toy manufactured by Spiral Toys that was the subject of numerous security vulnerabilities. The plush teddy bear-style toys use Bluetooth to connect to a parent’s smartphone to allow distant family members to send voice messages to the toy and allow children to send voice messages back.
Security researchers demonstrated that the toy itself was insecure and could be trivially accessed via Bluetooth. The personal records of over 820,000 toy owners were stored in an insecure database. Attackers also replaced the database with a ransom demand pointing to a Bitcoin address. The database of user records also contained links pointing to over 2.2 million audio files hosted on Amazon Web Services containing the voice messages sent to and from the toys.
Another colossally bad connected toy, at least from a privacy and security standpoint, is Pet Chat, an app that was included on LeapFrog tablets. The app allowed kids to talk to one another in a chat room using preset phrases and emoticons.
The app was designed to create an ad-hoc Wi-Fi network that broadcasts to wireless devices in its proximity. Anyone scanning the area for Wi-Fi signals could collect details about the hotspot and expose the location data.
Vulnerabilities could be used to launch attacks, to track a kid’s location and send personal messages as a “pet.”
Even more alarming is that this collected data could be used in a variety of ways in the future, by an assortment of people. It’s not far-fetched to imagine that, in some small way, it could influence health insurance coverage, loan approval, college acceptance, and who knows what else down the road. The long-term impact is unknown.
Toys and other things that are that broken by design can’t be operated securely and should not be used at all.
But, how can toy manufacturers, network operators, and others help to keep kids safe from the hazards posed by smart toys and other connected devices?
What should parents do?
Thanks to education and good parenting, kids may know how to behave safely online. However, not much has been said about “smart” and connected toys. More must be done to caution them around connected toys, and how collected data can be used.
It’s important to be vigilant and aware of input and output in an online world, especially with kids because they’re potentially the most vulnerable and can be the first to adopt new devices.
Before buying any type of connected toy, it’s good to check the basic issue related to security and privacy. However, most families have neither the time nor the skills to deal with security, and they want someone else to take the lead.
As a way to assure online security for every customer, some communication service providers are offering HomeSecure-based services to their customers in the future.
HomeSecure is a centrally managed platform that secures the home network and hardens customer premises equipment (CPE) against online attacks. Through machine learning techniques and visibility provided by the platform, all connected devices within the home are identified and protected.