Thinking about a connected toy this Christmas?

December 15, 2015

This week, we’ve been on both the ABC New England North West, and CyberShack talking about connected toys, warning parents to think twice before buying their kids Wi-Fi enabled toys.


There are three main areas of concern with regards to the information security of connected toys:
For example, we’ve seen in the case of the ‘Hello Barbie‘ researchers demonstrating that it was trivial to access the microphones, cameras or data story of a connected toy.
Secondly, in the case of the ‘Vtech Innotab 3‘ we’ve seen the stored data being access from the server where it is held. This included passwords, secret questions, voice records, chat logs and photos of kids.

This Vtech hack was really interesting, and quite alarming, over 5 million parents and 6.3 million children were exposed in the breach, including over 18,000 Australians.

We’ve also seen other connected devices, such as fridges being used to mine bitcoin at the owners expense, (using up both bandwidth and electricity in the process) or to participate in denial of service attacks. You’re welcome to call this fridge a zombie fridge, or zombie washing machine.

The general trend of connect devices, or the ‘internet of shit’ (@internetofshit) is poorly protected passwords, both in the remote server and within the device, lack of SSL/TLS encrpytion, and a neglect of patch application to name a few.

Why? Well, across the full scope of connected devices, we’re seeing trends like this, but from a laypersons perspective, the risks of toys seems low, or not even on the radar. But the moment you add private information, to these devices (or the ability to collect it via something such as a microphone or camera) on the internet, any device on your home network assumes the same risk level as your computer or mobile. This certainly seems to be an issue most companies making these devices cannot get their head around.

Weigh up your personal feelings on the privacy of you and your children before purchasing connected toys, and devices in general. If you knew that a barbie or some other toy was spying on your conversation, or pictures of your children playing were available on the internet without your consent…

If your child’s personal information is lost, such as their date of birth (often used in identity verification procedures) it cannot be changed, and it will remain on the internet – forever.

Check out the CyberShack Article on this topic for further information.

Fields marked with an * are required
Find out more
Recent Posts

Not-For-Profit & Education Discounts

18 July 2016

a team of highly skilled ethical hackers

Read More

Whitehack Information Security Consultant Finds Critical Vulnerability within AVG Owned Domain

30 June 2016

a team of highly skilled ethical hackers

Read More

ABC Four Corners Films Segment at WHITEHACK

03 June 2016

information security auditors, interview, four corners

Read More

ABC Radio Chat: TrainLink & Myspace Hack

31 May 2016

a team of highly skilled ethical hackers

Read More