Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

The Connected Toy Conundrum Is Beginning to Boil

The prediction business is a tricky thing. You can be right, but until you are proven right, you’re either early or wrong. Being early feels just like being wrong—up until the moment you are right.

The prediction business is a tricky thing. You can be right, but until you are proven right, you’re either early or wrong. Being early feels just like being wrong—up until the moment you are right.

When toymaker VTech announced in November 2015 that nearly five million customer records had been leaked (including pictures of and data about children), I predicted that the breach would be a tipping point for security and privacy issues with connected toys. My thesis was based on the notion that nothing stirs the emotions faster than concerns over the privacy and safety of children.  

My prediction didn’t get any traction. Just as I was beginning to embrace the notion that I was wrong, a string of recent events may prove that I was just early.

Smart toy security troubles are on the rise

In mid-February, it was reported that Germany’s Federal Network Agency issued a warning to parents about the “My Friend Cayla” doll. The agency, which oversees telecommunications in Germany, advised parents to destroy the doll because it collects and transmits conversations with children.

The data in the conversations were being parsed by speech recognition software that can turn dialogue into searchable queries. While the agency based their warning on the doll being a “concealed transmitting device” that ran afoul of the law, there was also much concern over regulations protecting the privacy and security of children. Agencies from multiple countries, including the United States’ FTC, expressed concerns over these privacy and security issues.

In early March, it was reported that toymaker Spiral Toys had been hacked, exposing data from over 800,000 users. The data contained personalized voice messages, pictures, and other data collected via Internet-connected teddy bears and the associated smartphone apps. Researchers reported that the data was stored on a database that was unprotected and not behind a firewall. The same researchers believe the data was held for ransom before being exposed by multiple sources.

As a parent, I find these breaches of privacy and security reprehensible. As someone in the software security space, I find these breaches to be inevitable, yet easily preventable. As a citizen of the world, I view this as a continued warning about the dangers of IoT and connected everything.

Securing smart devices goes beyond toy manufacturers

Advertisement. Scroll to continue reading.

As I have said repeatedly, the term “connected device” should immediately provoke questions such as “to what?”, “for what purpose?”, and “with what level of protection for the data?”

I do not believe that there is malicious intent on the part of the toy manufacturers. They are looking for an angle to sell toys, and IoT and connected devices are hot topics. They are also financially motivated to hold down production costs for profitability. Having a connected toy adds new cost items such as building the associated app and building the infrastructure (including data storage) to store the collected data. All their key business drivers (e.g., time to market and profitability) are diametrically opposed to notions of building security into the process.

Take note that this is not a set of issues unique to connected toys. Multiple stories came out in February on the analysis of the end user license agreements for smart televisions. Manufacturers are now warning us not to discuss sensitive subjects in front of our televisions as the conversation will be recorded and stored! This includes the voices of children in our homes.

On a personal note, I am in the market for a new home thermostat. Buying a smart thermostat causes me to pause because I know they listen constantly—just like a smart TV or your new Alexa. Fortunately, I also know several manufacturers of smart thermostats are treating the security issues seriously.

It’s time to take IoT security and privacy seriously

Privacy is an ephemeral subject, particularly in the United States. Other countries take a much more pronounced interest in privacy, where I believe Americans have become numb to the subject after selling our privacy souls for free cell phones. However, the basic, immutable law is simple and must be recognized by consumers: If something is IoT or connected it collects data and that data goes somewhere and is stored. While seemingly benign, that data may combine sensitive information—which can be stolen.

Add children to the mix and the focus suddenly shifts. The light shed on the problems swiftly burns much brighter. There have been no reports of children receiving inappropriate messages or other misuses of the leaked data…yet. However, the upsetting fact is that these children have been put at risk. When a child is compromised by such a leak, the heat will go up exponentially.

My previous, bold prediction was that parents will begin to demand that connected toys demonstrate the basic concepts of data privacy and security as awareness of the problem reaches critical mass. Enlightened toy manufacturers will begin to embrace the basic concepts of security and build connected toys that can be trusted by parents. They may in fact begin to use proof of security measures as a differentiator in the market. I would not be surprised to see some form of seal or certification emerge to visibly demonstrate to consumers the security awareness of the product.

The tipping point may have just arrived. On March 6, Consumer Reports announced that they are “launching the first phase of a collaborative effort to create a new standard that safeguards consumers’ security and privacy”. Consumer Reports hopes to push a new open-source standard that addresses privacy and security concerns for connected consumer devices.

I wait patiently to discover if I was early or wrong on my prediction. At the rate that these breaches are surfacing, I feel better about my chances of being early. But this time I won’t feel great about being right.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.