4 ways 'internet of things' toys endanger children
Posted by admin on 10th May 2018

As Amazon releases an Echo Dot smart-home device aimed at children, it’s entering a busy and growing marketplace. More than one-third of U.S. homes with children has at least one “internet of things” connected toy – like a cuddly creature who can listen to and respond to a child’s inquiries. Many more of these devices are on the way, around the world and in North America specifically.

These toys wirelessly connect with online databases to recognize voices and images, identifying children’s queries, commands and requests and responding to them. They’re often billed as improving children’s quality of play, providing children with new experiences of collaborative play, and developing children’s literacy, numeric and social skills.

Online devices raise privacy concerns for all their users, but children are particularly vulnerable and have special legal protections. Consumer advocates have raised alarms about the toys’ insecure wireless internet connections – either directly over Wi-Fi or via Bluetooth to a smartphone or tablet with internet access.

As someone with both academic and practical experience in security, law enforcement and applied technology, I know these fears are not hypothetical. Here are four examples of when internet of things toys put kids’ security and privacy at risk.

Hello Barbie, and whoever else is listening.
AP Photo/Mark Lennihan

1. Unsecured wireless connections

Some “internet of things” toys can connect to smartphone apps without any form of authentication. So a user can download a free app, find an associated toy nearby, and then communicate directly with the child playing with that toy. In 2015, security researchers discovered that Hello Barbie, an internet-enabled Barbie doll, automatically connected to unsecured Wi-Fi networks that broadcast the network name “Barbie.” It would be very simple for an attacker to set up a Wi-Fi network with that name and communicate directly with an unsuspecting child.

The same thing could happen with unsecured Bluetooth connections to the Toy-Fi Teddy, I-Que Intelligent Robot and Furby Connect toys, a British consumer watchdog group revealed in 2017.

The toys’ ability to monitor children – even when used as intended and connected to official networks belonging to a toy’s manufacturer – violates Germany’s anti-surveillance laws. In 2017, German authorities declared the My Friend Cayla doll was an “illegal espionage apparatus,” ordering stores to pull it off the shelves and requiring parents to destroy or disable the toys.

Unsecured devices allow attackers to do more than just talk to children: A toy can talk to another internet-connected device, too. In 2017, security researchers hijacked a CloudPets connected stuffed animal and used it to place an order through an Amazon Echo in the same room.