It seems like everything these days comes with some kind of Internet connectivity, from Wi-Fi-enabled crockpots to always-online cars to hot children’s toys. But the recent VTech hack reminded the world yet again that not everything connected to the Internet is safe for you and your family.
Internet of Things security expert Josh Corman, who is attempting to influence government and corporate policy toward securing customer data and consumer devices with his “I am the Cavalry” initiative, says parents should look out for toys that can record and broadcast audio and video.
“Anything that can capture or transmit audio or video is a higher risk to my family,” Corman said. Baby monitors and other home self-surveillance tools have been hacked, their media streams broadcast on the Internet.
Much like the mystical energy field The Force, which binds the galaxy in the Star Wars movies, the Internet of Things has a light side and a dark side. When toymakers embrace it, they can create a more dynamic dimension of play. If they improperly introduce Internet connectivity to their toys, on the other hand, they can forever darken their path, as they cause great harm to you or your children’s privacy and security.
Unlike other devices that connect to the Internet, such as insulin pumps or pacemakers, there’s no regulatory agency protecting kids’ toys or the data they collect, says Chris Wysopal, co-founder and chief technology officer of security firm Veracode. “Unfortunately, there’s no seal of approval that a toy has been tested and is secure,” he said.
In the past year, toy hacks have become more common. Many of them are still on the shelves. From dolls that check Wikipedia to Bluetooth-controlled skateboards, here are five toys to avoid as you do your last-minute shopping.
My Friend Cayla is an interactive doll that can respond to questions. Some of its answers have been preprogrammed; it looks up others on the Internet. But because of how it’s been built, Cayla is “effectively a Bluetooth headset, dressed up as a doll,” said Ken Munro of security company Pen Test Partners.
Munro and his colleagues were able to identify four kinds of attacks that gave them different levels of access to the doll, including repurposing the “banned words” profanity database as proper responses to when your child says “Hello” to Cayla.
Yes, My Friend Cayla can be hacked to become My Obscenely Profane Friend Cayla. She also will also listen in and record everything she hears until she’s turned off. Even without spewing obscenities, Cayla is creepy.
Mattel’s Hello Barbie dolls have been on the radar of privacy advocates since at least March, when they criticized Mattel and technology partner ToyTalk for allowing the toy to record and analyze children’s private conversations with the doll. And at the end of November, this Barbie became well-known for all the wrong tech reasons, when U.S. security researcher Matt Jakubowski was able to hack into its microphone and access stored audio files, user accounts, and system information.
VTech, which makes more than a dozen popular Internet connected toys, baby monitors, dinosaurs, and tablets, connects many of them through its Learning Lodge online service. In November, Learning Lodge was infamously hacked, exposing the personal information of more than 4.8 million adults and more than 6.3 million kids around the world.
The hack forced VTech to suspend its Kid Connect communication service, and, according to the company’s FAQ, Learning Lodge remains down to this day. No credit card or other payment information was exposed, but given that the company appears still to have problems, it’s a good idea to stay away from Learning Lodge-connected VTech gear this season.
I Spy Tank
The remote-control I Spy Tank isn’t new, and a quick search on the Web will show you that it’s been hacked for a couple of years. The Wi-Fi remote control car comes mounted with a camera that can broadcast what it sees to your phone. Because of the lack of security protocol built into it, a hacker can check out the video stream and, with a bit more effort, take control over its movements. The tank also doesn’t protect its Wi-Fi credentials, meaning that if you hack it, you can access the Wi-Fi router itself—and any traffic going through it.
Motorized skateboards like those made by Boosted, Revo, and Yuneec have become a trendy way to get around town in San Francisco and other dense urban areas, and they’re often controlled by your smartphone over Bluetooth. At Def Con in August, security researchers demonstrated that because the communication between the app and the board was unprotected, the board could be forced to stop or reverse direction.