I report and analyse breaking cybersecurity and privacy stories
Smart toys could represent a stranger danger risk to children, new report finds.
New research suggests that children could be at risk from security flaws in smart toys this holiday season. An investigation by U.K. consumer advice organization Which? has revealed that toys purchased from major retailers could potentially allow a stranger to communicate with your child. The organization bought seven 'smart' toys and handed them over to the NCC Group, a specialist security lab, for testing. Some of the toys put to the test were aimed at children as young as three years old, according to Which? Yet they contained "various concerning issues that could potentially put children at risk," the report finds.
What stranger danger risks were found in the tested toys?
"Across all seven toys, we found 20 noteworthy issues," the NCC Group said in a blog post. Perhaps the most serious of these was the lack of any secure authentication, such as a PIN code, for Bluetooth connectivity. Two of them in this category were karaoke toys, enabling anyone within a range of about 10 meters (10 feet) to connect anonymously and stream audio to the toy. It's worth bearing in mind that while the communication is one-way, the child would not be able to talk back, the stranger danger of someone being able to send messages like this cannot be stressed enough. "Imagine a scenario where someone connects to the toy and streams instructional or manipulative messages to a child," the NCC Group report stated, "such as asking them to go out to the front garden, as a precursor to an abduction attempt."
Today In: Innovation
A pair of toy walkie-talkies that were tested also proved to be problematical. Again, there was no mutual authentication between the handsets. This time, though, the effective communication range was 150 meters (492 feet), meaning an attacker could be across the street or even on the other side of the park, for example. As long as they had purchased their own set of the toys, they would be able to engage in two-way conversations. The real-world playing out of this exploit is further restricted by the fact that to exploit the communication vulnerability, the attacker would need to pair the devices within a 30-second window of the child's set being switched on and paired. An unlikely scenario, I admit, but would you be happy taking any chances when it's your kids that are at risk?
Further details of the toys tested can be found in the Which? report, along with responses from the manufacturers.
What do security experts say about the smart toy risk?
"Today’s news that children’s karaoke and walkie-talkie toys, popular Christmas gifts and commonplace in children’s bedrooms, are hackable, enabling nearby strangers to potentially talk to children through them, or capture data from the devices, is incredibly concerning," David Emm, cybersecurity expert and principal security researcher at Kaspersky, said. Emm suggested "something stronger than a voluntary code of practice" is required when it comes to the protection of children.
"Children’s toys are often neglected with regards to the security conversation," Boris Cipot, a senior security engineer at Synopsys, said. "Before ordering a new smart device this holiday season for your child, or any family member for that matter, take into account the security impact the device can have and make security a part of your purchasing decision," Cipot said.
Given that research last year found that 90% of consumer Internet of Things (IoT) vendors didn't let security researchers report vulnerabilities, I can't say that I'm altogether surprised by the findings of the NCC Group testing. Shocked, as a parent and grandparent, but not surprised. Which? has a smart toy safety checklist for parents that details the things to be aware of before buying a connected toy for your children this holiday season. I heartily recommend you check it out before splashing your cash.
The U.S. Federal Trade Commission (FTC) has also just published advice for consumers regarding the questions that should be asked before buying internet-connected toys. The FTC recommends that consumers properly understand the smart toy’s feature set as well as both what information it will collect and how that data will be used.
It's superior, however , check out material at the street address. best outdoor toys for kids
ReplyDeleteI would like to say that this blog really convinced me to do it! Thanks, very good post. Pop Culture Quiz
ReplyDelete