Internet-Connected Toys: Cute, Cuddly and Inherently Insecure
After the FBI issued a warning on internet-connected toys in July, researchers began digging into these devices to assess their functions as they relate to cybersecurity. But before describing what one of these toys can do, it might be helpful to explain how they work at a very high level.
Typical Components of Internet-Connected Toys
The first component of an internet-connected toy is the toy itself, which usually takes the form of a squeezable plush animal such as a dog, bear or pony. They also come as dolls, hard plastic dinosaurs, alien creatures and more. The electronic components, which are usually standardized across all Internet of Things (IoT) toys, typically include:
- A speaker;
- A wireless receiver and transmitter;
- A long-life battery or battery conduit;
- A recording device, such as a microphone wired to microchip; and
- Cloud connection capability.
More sophisticated toys contain additional components such as:
- Motion activators and sensors based on acoustics or specific frequency ranges;
- Optics or cameras;
- Bluetooth capability; and
- Programmable memory to store recordings, songs, stories, etc.
The Mobile App and the Cloud Provider
The newer IoT toys on the market require a mobile application that parents can download from an app store. These apps are usually compatible with several different mobile device types. There is no indication that the apps used for these IoT toys are developed with security in mind. As a result, there is no way to guarantee that these apps are protected from bad software updates, malware, worms, Trojans and viruses. Additionally, the mobile app, if hijacked by cybercriminals, could corrupt the toy to which it is downloaded.
The mobile app is used by one party — usually the parent — to record a message or greeting for the child. This message is transmitted to an IoT cloud account tied to the mobile app, and then from the cloud account to the child’s toy.
Again, there is nothing in the design of most internet-connected toys that guarantees that the user’s data:
- Is protected in the cloud;
- Is not susceptible to eavesdropping in the cloud;
- Will not be sold to the highest bidder on the black market if the cloud provider is compromised;
- Will not be used to spy on individuals or entire families to glean personal details; or
- Is not susceptible to tampering.
An Espionage Device in a Fluffy Package
Most internet-connect toys have some kind of indicator, such as eyes that light up, a face that moves to form a smile or a blinking heart light, that alerts the child to a message. The child can press the paw or squeeze the belly to hear the recorded message played back to them.
In addition to listening to simple messages and greetings, some IoT toys can read stories, play simple games and even maintain a steady internet connection to download new content such as children’s audio books. Several IoT toys allow children to record messages back to their parents or friends. This is where a cute pink dinosaur can become a Cold War-like espionage device in a fluffy, squeezable package.
The next-generation IoT toys coming out of the research and development phase and into the market are quite possibly the most sophisticated toys ever designed. A cybercriminal could easily hijack the basic model of an IoT toy to eavesdrop on everything a child is doing in his or her room and pick up distinct conversations occurring within the house, car, school or day care facility.
The most sophisticated IoT toys have augmented reality optics built into the eyes that can pick up on subsonic and ultrasonic broadcast frequencies and recognize voice patterns. These capabilities can be woven into the fabric of a pillowcase or blanket.
Red Flags for Internet-Connected Toys
Before purchasing an internet-connected toy for your child or children, do a lot of research and carefully scrutinize every manufacturer. Below is a list of red flags to look out for. If any one of these issues is present, the IoT toy, no matter how lovable and cute, should not be purchased:
- The toy is sold only through a ubiquitous, nameless, faceless retailer — in other words, it is available only online.
- The toy has no obvious, discernible supply chain that identifies who manufactured it or where it was manufactured.
- The company manufacturing the toy does not have a physical address, return address or consumer complaint number.
- Free shipping to military personnel is a major marketing tactic used to sell the product.
- There is no telephone number, physical address, mailing address or customer service number for the seller of the toy or the mobile app required to use the toy.
- The mobile app provider requires the user to sign up for the cloud service using his or her real first and last name and physical address.
- The toy stays connected to the cloud even when it is off.
- The toy is programmed to receive automatic updates or downloads.
- The toy comes equipped with a long-range receiver and transmitter.
- The cloud provider storing the data is never identified in the end-user license agreement (EULA).
- Neither the toy nor the mobile app comes with an EULA.
Read the Fine Print
Finally, parents and purchasers of IoT toys should always read the EULA carefully — every single word of it. This agreement, which is usually legally binding, is supposed to demonstrate how the toy works, what it is capable of, the type of data it can collect, where this data stored, how it is processed and used, and how long it remains in memory or in the cloud. Do not skip the EULA simply because the fuzzy blue alien looks too cuddly to have a sinister purpose.