What child would not want a ‘smart’ toy. Many of us have only dreamed about such things during our childhoods, but these days, smart toys connecting to the Internet are speedily becoming the new norm. Soon, children will question why a doll or a teddy bear from our own childhood does not speak or move, allow them to send messages/videos, etc. And that is to be expected, as technology advances. There is just one tiny problem, Internet-connected gadgets, including toys, are not as secure as they should be.
With the fast growing popularity of Internet of Things, developers need to keep up with the trends and produce more and more Internet connected gadgets. Unfortunately, with such fast-paced production, security suffers. Developers might look past certain security risks in order to make a release quicker, and could be putting users in danger by doing so. And the most vulnerable, children.
Why Internet-connected toys could be dangerous
The average person might not even consider the security risks when they purchase an Internet-of-Things gadget, especially something as harmless as a toy. However, this unawareness could be putting theirs or their children’s personal information at risk. You would be quite surprised at how vulnerable things that connect to the Internet are, and toys are not different. And because their intended audience are kids, developers should be especially careful about their security. Unfortunately, the reality is rather different.
Smart toys are notoriously unsecure. And if look at what they are, it is not that surprising. They are essentially a computer that connects to the Internet. It may be a pretty basic one, but it still is a computer. And no matter how advanced it is, when a computer connects to the Internet, it becomes vulnerable. Some hacker could take advantage of those vulnerabilities, and it could have serious consequences.
Let’s take an example. You buy your child a smart Trent the teddy bear. You can remotely record a message for your child using an app, and the teddy bear will play it when the child presses a certain button. They will even be notified when a message appears by the flashing of the teddy bear’s heart. Seems convenient enough. Now, imagine if someone you do not know was able to record a message to your child. An unauthorized person could gain access to your child’s toy, record messages, extract stored personal information, etc. Certainly sounds creepy. That is what security specialist Bill Buchanan is warning parents about. A BBC article recently reported about the dangers of buying a smart toy for a child, and in it, Buchanan explained that it is possible to hack those teddy bears and store messages for the child to listen to.
“A browser interface gives him control of how fast Trent’s heart beats and – crucially – the ability to slot his own audio message into Trent’s circuitry,” BBC reports.
Buchanan is a security specialist so the only reason he tries to hack smart toys is to discover vulnerabilities that he could report to manufacturers so that the toys become more secure. However, he warns that “less ethical hackers will not just find any weakness, they’ll post it on the web for anyone to replicate”.
You might be wondering, has anyone with bad intentions actually hacked a smart toy before, or is it all just hypothetical. The answer to that is, unfortunately, yes.
Back in February, serious concerns were raised when a database containing personal information and voice recordings from CloudPets toys was publicly available for anyone to access without a password. A report by security researcher Troy Hunt reveals that more than 2 million voice recordings were available. That is more than 2 million private recordings of children and their parents/guardians communicating, possibly exposing highly-sensitive personal information.
We cannot expect children to understand how a toy they are using could be putting them in danger. However, if you are willing to purchase a smart toy for a child, you need to be aware of the risks. Which is why you need to consider a few things before you make a purchase.
What you should be aware of when purchasing an Internet-connected toy
One of the first things you need to look into before buying a smart toy is how it works. Does it have a camera, a microphone, etc.? Think about all the different scenarios where those features could be used against you. Check the Privacy Policy to find out what kind of information is collected, how it is stored/transferred and used. If you find the policy difficult to understand, it was likely intentionally made to be that way, which should raise alarm bells in your head. If you cannot understand it, it is better if you do not buy it. A couple of key things too look out for in a Privacy Policy is: who has access to the collected data, whether you would be notified in case of a security breach/found vulnerability, and if you would be informed about changes made to the disclosure and privacy policies.
Check the manufacturer for any incidents relating to cyber security and breaches. If the company was involved in one, how did it deal with it? Did they inform the customers? How did they improve their security after the incident? Consider all the things before making a purchase.
If you have decided to proceed with the purchase, there are still a couple of things you need to do. Often, parents are asked to create user accounts to fully set up the toy, and it is advised to put in as little information as possible. If it is not obligatory, better to not provide it. Be especially careful when creating passwords. Do not just stick to a default or an easy to guess one, like ‘password‘. Despite countless warnings, many users still choose passwords that require seconds to guess, such as ‘12345’ or ‘qwerty’. Instead of those, create a password containing a mixture of upper and lower case letters, numbers and special symbols. The harder it is to remember, the better.
Smart toys, as are all things connecting to the Internet, are not as safe as they should be. Hopefully, this will change in the near future. But until that happens, parent will have to be extra attentive.