This week, we’ve been on both the ABC New England North West, and CyberShack talking about connected toys, warning parents to think twice before buying their kids Wi-Fi enabled toys.
There are three main areas of concern with regards to the information security of connected toys:
For example, we’ve seen in the case of the ‘Hello Barbie‘ researchers demonstrating that it was trivial to access the microphones, cameras or data story of a connected toy.
Secondly, in the case of the ‘Vtech Innotab 3‘ we’ve seen the stored data being access from the server where it is held. This included passwords, secret questions, voice records, chat logs and photos of kids.
This Vtech hack was really interesting, and quite alarming, over 5 million parents and 6.3 million children were exposed in the breach, including over 18,000 Australians.
We’ve also seen other connected devices, such as fridges being used to mine bitcoin at the owners expense, (using up both bandwidth and electricity in the process) or to participate in denial of service attacks. You’re welcome to call this fridge a zombie fridge, or zombie washing machine.
The general trend of connect devices, or the ‘internet of shit’ (@internetofshit) is poorly protected passwords, both in the remote server and within the device, lack of SSL/TLS encrpytion, and a neglect of patch application to name a few.
Why? Well, across the full scope of connected devices, we’re seeing trends like this, but from a laypersons perspective, the risks of toys seems low, or not even on the radar. But the moment you add private information, to these devices (or the ability to collect it via something such as a microphone or camera) on the internet, any device on your home network assumes the same risk level as your computer or mobile. This certainly seems to be an issue most companies making these devices cannot get their head around.
Weigh up your personal feelings on the privacy of you and your children before purchasing connected toys, and devices in general. If you knew that a barbie or some other toy was spying on your conversation, or pictures of your children playing were available on the internet without your consent…
If your child’s personal information is lost, such as their date of birth (often used in identity verification procedures) it cannot be changed, and it will remain on the internet – forever.
Check out the CyberShack Article on this topic for further information.