Internet Connected Toys Puts Kids at Risk
Many internet connected toys have security issues, including missing authentication for device pairing and a lack of encryption for connected online accounts. Researchers at NCC Group, tested various smart toys available from name brands including Spinmaster, Vtech and Mattel. The research points to a larger security issue in connected toys, which open them up as conduits to a IoT attack on smart homes. It also pose serious privacy issues for the children they are intended for.
Many toys tested were missing authentication for the Bluetooth connection used for pairing toys with their complementary apps or devices. This type of authentication serves as a security step to ensure that the device or app attempting to connect with the smart toy is from a legitimate source, such as a parent or guardian. Missing authentication opens the toys to an array of attacks. A hacker could connect to the toy and send fake messages to the child. In testing the Vtech KidiGear walkie-talkie, for example, researchers found that they could easily pair their own walkie-talkie devices with those of a child. The two walkie-talkie devices didn't need mutual authentication, allowing strangers to then talk to the child on the other device from up to 300 feet away. Researchers also found that the Singing Machine SMK250PP and a karaoke microphone from Amazon seller TENVA which allow audio to be streamed through them via Bluetooth lacked authentication. This would allow a hacker who paired with them to stream offensive content through them.
Another security issue stems from the online accounts that many connected toys require. A user account was required or suggested to register the toy, allow children to download new capabilities. Researchers found that when creating accounts, many websites did not offer encryption. None of the websites enforced a password policy.
The connected toys are only the latest to have security and privacy issues. After CloudPets connected teddy bears were found to have exposed 2.2 million voice recordings between parents and their children in a significant data breach, Amazon, Target and Walmart have pulled the toys from their online markets. Genesis Toys' My Friend Cayla doll and Mattel's Hello Barbie doll have also undergone major security issues.
Manufacturers need to take steps in ensuring security by implementing authentication between toys and their owner devices or applications. Manufacturers can also take measures for persistent storage on devices, which could be used to store some unique identifier of a controlling app upon first use.