Security Experts:

The Connected Toy Conundrum Is Beginning to Boil

The prediction business is a tricky thing. You can be right, but until you are proven right, you’re either early or wrong. Being early feels just like being wrong—up until the moment you are right.

When toymaker VTech announced in November 2015 that nearly five million customer records had been leaked (including pictures of and data about children), I predicted that the breach would be a tipping point for security and privacy issues with connected toys. My thesis was based on the notion that nothing stirs the emotions faster than concerns over the privacy and safety of children.  

My prediction didn’t get any traction. Just as I was beginning to embrace the notion that I was wrong, a string of recent events may prove that I was just early.

Smart toy security troubles are on the rise

In mid-February, it was reported that Germany’s Federal Network Agency issued a warning to parents about the “My Friend Cayla” doll. The agency, which oversees telecommunications in Germany, advised parents to destroy the doll because it collects and transmits conversations with children.

The data in the conversations were being parsed by speech recognition software that can turn dialogue into searchable queries. While the agency based their warning on the doll being a “concealed transmitting device” that ran afoul of the law, there was also much concern over regulations protecting the privacy and security of children. Agencies from multiple countries, including the United States’ FTC, expressed concerns over these privacy and security issues.

In early March, it was reported that toymaker Spiral Toys had been hacked, exposing data from over 800,000 users. The data contained personalized voice messages, pictures, and other data collected via Internet-connected teddy bears and the associated smartphone apps. Researchers reported that the data was stored on a database that was unprotected and not behind a firewall. The same researchers believe the data was held for ransom before being exposed by multiple sources.

As a parent, I find these breaches of privacy and security reprehensible. As someone in the software security space, I find these breaches to be inevitable, yet easily preventable. As a citizen of the world, I view this as a continued warning about the dangers of IoT and connected everything.

Securing smart devices goes beyond toy manufacturers

As I have said repeatedly, the term “connected device” should immediately provoke questions such as “to what?”, “for what purpose?”, and “with what level of protection for the data?”

I do not believe that there is malicious intent on the part of the toy manufacturers. They are looking for an angle to sell toys, and IoT and connected devices are hot topics. They are also financially motivated to hold down production costs for profitability. Having a connected toy adds new cost items such as building the associated app and building the infrastructure (including data storage) to store the collected data. All their key business drivers (e.g., time to market and profitability) are diametrically opposed to notions of building security into the process.

Take note that this is not a set of issues unique to connected toys. Multiple stories came out in February on the analysis of the end user license agreements for smart televisions. Manufacturers are now warning us not to discuss sensitive subjects in front of our televisions as the conversation will be recorded and stored! This includes the voices of children in our homes.

On a personal note, I am in the market for a new home thermostat. Buying a smart thermostat causes me to pause because I know they listen constantly—just like a smart TV or your new Alexa. Fortunately, I also know several manufacturers of smart thermostats are treating the security issues seriously.

It’s time to take IoT security and privacy seriously

Privacy is an ephemeral subject, particularly in the United States. Other countries take a much more pronounced interest in privacy, where I believe Americans have become numb to the subject after selling our privacy souls for free cell phones. However, the basic, immutable law is simple and must be recognized by consumers: If something is IoT or connected it collects data and that data goes somewhere and is stored. While seemingly benign, that data may combine sensitive information—which can be stolen.

Add children to the mix and the focus suddenly shifts. The light shed on the problems swiftly burns much brighter. There have been no reports of children receiving inappropriate messages or other misuses of the leaked data…yet. However, the upsetting fact is that these children have been put at risk. When a child is compromised by such a leak, the heat will go up exponentially.

My previous, bold prediction was that parents will begin to demand that connected toys demonstrate the basic concepts of data privacy and security as awareness of the problem reaches critical mass. Enlightened toy manufacturers will begin to embrace the basic concepts of security and build connected toys that can be trusted by parents. They may in fact begin to use proof of security measures as a differentiator in the market. I would not be surprised to see some form of seal or certification emerge to visibly demonstrate to consumers the security awareness of the product.

The tipping point may have just arrived. On March 6, Consumer Reports announced that they are “launching the first phase of a collaborative effort to create a new standard that safeguards consumers’ security and privacy”. Consumer Reports hopes to push a new open-source standard that addresses privacy and security concerns for connected consumer devices.

I wait patiently to discover if I was early or wrong on my prediction. At the rate that these breaches are surfacing, I feel better about my chances of being early. But this time I won’t feel great about being right.

view counter
Jim Ivers is Senior Director of Marketing for the Software Integrity Group at Synopsys. Jim is a 30-year technology veteran who has spent the last ten years in IT security. Prior to Cigital, Jim was the CMO at companies such as Covata, Triumfant, Vovici, and Cybertrust, a $200M security solutions provider that was sold to Verizon Business. Jim also served as VP of Marketing for webMethods and VP of Product Management for Information Builders.