How to Prevent Attacks on These 7 Most Vulnerable Connected Toys

What’s the next toy you are going to give to your child? Maybe, you are thinking about a voice-activated plush bear that can speak some clever lines and “engage” your child? That is great, but make sure you carefully consider your choices first if you want to buy an internet-connected toy. These Internet-of-Things (IoT) toys may hide potential danger for your child’s security.

What can parents and toymakers do to secure connected toys against cyber attacks? Here is a list of seven IoT toys that have were vulnerable and compromised in some way, as well as some useful tips about IoT toys security and how to protect them against cyber attacks.

1. VTech Toys

VTech is a Chinese manufacturer of connected toys who became a victim of cyber attackers in 2015. The company revealed that their online store was the target of a massive cyber attack. As a result, hackers got access to the company’s online database and compromised accounts of more than 11 million accounts that involved data about 6.37 million children. Apart from data about user credentials and profile information, the database contained details about the children’s identity as well as their parents’ credit card and mailing address data.

2. Hello Barbie

Mattel’s Hello Barbie provides personalized interaction with children due to its embedded microphone and speaker. The Hello Barbie toy can listen to a child and keep the conversation going thanks to its connection to a Wi-Fi network. However, it was discovered that once hacked the doll can be easily turned into a spying device. Hello Barbie had several vulnerabilities in its mobile app and an insecure Wi-Fi protocol. Matt Jakubowski, a security researcher at Bluebox, managed to hack the doll and got access to a user’s account data, the toy’s recordings and microphone.

3. My Friend Cayla

In 2014, My Friend Cayla was the first connected toy that used Google Translate technology for communication. Though the doll was able to answer child’s questions and recognize objects, it appeared to have significant security flaws. The doll required no authentication for connecting to its Bluetooth device, so anyone who was nearby could potentially interact with a child via the doll. Moreover, once hacked the doll could be turned into a surveillance device that took photos and recorded the child’s conversations. Germany considered these vulnerabilities extremely dangerous and advised parents to destroy this IoT toy.

4. CloudPets

Spiral Toys—the company that produces CloudPets, smart plush animals—was found to have security problems in 2017. Troy Hunt, a security researcher, revealed that the online database of the company had a public access for voice recordings of more than 800,000 customers. In addition, there was personal information about children’s identities stored in the database. After the data breach disclosure, Spiral Toys required customers to set strong passwords for their accounts.

5. Fisher-Price Smart Toy Bear

Smart Toy Bear is an interactive plush toy with a connection to the Internet. The toy can talk to children, listen to them and even remember your kid’s preferences and responses. Unfortunately, this connected toy appeared to have security flaws during research conducted by Rapid7 in 2016. The plush animal had vulnerabilities in its API that could be exploited by hackers for obtaining personal data about children and to remotely take control of the toy’s functionality.

6. HereO GPS Watch

HereO Watch was designed to help parents monitor the location of a child due to a built-in GPS tracking device. The toys are targeted for children aged between 3 and 12 years old. Parents can track a child’s location via a mobile app, as well as send messages and receive alert notifications. Unfortunately, the researchers at Rapid7 found authorization weaknesses that allowed potential attackers to penetrate into a family group, get access to a child’s location history, and abuse other features of the HereO GPS Platform.

7. Hello Kitty

Like other IoT toys, Hello Kitty devices collect information about users. However, a 2015 data breach compromised personal information of more than 3.3 million consumer accounts. The data leakage was caused by an incorrectly configured database installation that required no authentication. Though Hello Kitty’s devices had unique passwords, Sanrio provided no security for their data centers. As a result, insecure databases provided open access to user credentials and profile information.

Other IoT Toys Are Also Vulnerable to Attacks

Although the security weaknesses and vulnerabilities of IoT toys have been public since 2015, it still seems like many toymakers are in no hurry to improve protection for their products. According to a press release published by Which?, four out of seven of the most popular connected toys could be hacked by potential attackers. Security experts revealed that a vulnerable Bluetooth connection was found in the CloudPets, i-Que Intelligent Robot, Furby Connect, and Toy-Fi Teddy. Thus, there was a potential risk that cyber criminals or sexual predators could exploit vulnerabilities for taking control over devices or to send their own voice messages to a child. Which? has sent recommendations to toymakers and called for retailers to stop selling insecure products.

How Can Parents Protect Their Children?

Do you want somebody to spy on your baby? Of course not. A Parent’s primary concern should be the safety and security of their child. Don’t just believe claims from commercials or online ads. To help consumers make smarter choices, the Federal Bureau of Investigation (FBI) published recommendations for buying and using a connected toy. Particularly, the FBI recommends consumers to do the following:

Become familiar with disclosures and privacy policies
Research whether an IoT toy they want to buy has reported security flaws
Find out if the toy receives firmware updates and security patches
Research if the toy establishes a secure connection to the Internet via strong authentication and data encryption
Learn more about how the company ensures the security of collected data
Create unique passwords for authentication
Provide only the minimal required information about your child’s identity
Carefully monitor what the toy replies to a child
Turn off the toy when a child doesn’t play with it

However, parents are already busy with their children, so they don’t usually have enough time to become security experts. Moreover, the problem of IoT toys security is impossible to solve only from the parent’s side. Connected toy manufacturers should also take all the necessary measures to secure their products.

How Can Toymakers Secure Their Products?

The Federal Trade Commission (FTC) has mandated American toymakers to comply with the Children’s Online Privacy Protection Act (COPPA) if they produce devices that connect to the internet. IoT toy manufacturers should implement security measures starting from their product design. In addition to protected hardware and firmware, they also should pay attention to the security of their mobile application and online cloud server.

There are a variety of potential entertainment and educational benefits of internet-connected toys, and in some cases the toys may be used to increase security or improve safety for a child. The innovations of IoT toys, however, also expose the toys to risk that has simply never been part of a toy making process or toy buying decision before. The safety of our children depends on toy manufacturers and parents both being more diligent.