Parents should consider turning off cameras and geo-location settings in children’s toys that connect to the internet.
That’s the warning from security experts, adding to previous warnings from the the Information Commissioner’s Office (ICO), as concerns mount that smart toys and smart ‘tracker’ watches made for children present a safety risk from hackers.
We’re often seeing smart toys pop up in the news – for all the wrong reasons. Most recently (Dec 2018), the BBC’s Watchdog Live programme flagged up a flaw in VTech’s InnoTab Max tablet for kids, which allowed hackers to remotely take control of the device and snoop on its user. VTech now says they’re alerting parents who’ve bought the tablet to a new security upgrade that will fix the flaw.
And just a few weeks before this, security experts flagged that they could hack into a MiSafes Kid’s Watcher Plus child-tracking smartwatch, and so were able to track children’s movements, surreptitiously listen in to their activities and make spoof calls to the watches that appeared to come from the child’s parents.
Earlier this year (2018), US arm of popular toy company VTech hit headlines when it was fined $650k (£480k) over a smart toy data breach.
VTech, best known over here as the brand behind the Kidizoom Smartwatch DX and Kidizoom Flix cameras, received the fine from the Federal Trade Commission for not correctly securing photos, audio files and personal info downloaded to the KidsConnect app – which comes with many of its electronic toys.
(“VTech does not admit any violations of law or liability,” reports say VTech said in a press release.)
In their general warning about smart toys, ICO’s deputy commissioner Steven Wood said: “You wouldn’t knowingly give a child a dangerous toy.
“So, why risk buying the them someone that could be easily hacked into.
“Some toys and devices are fitted with web cameras. If you have no intention of viewing footage over the internet, then turn the remote viewing off.” And, if the device has location tracking, make sure it’s secure, he advises: “If this isn’t done securely, then others may have access to this data as well.”
This ICO warning comes hot on the heels of a previous warning from Which? about the safety of toys that connect to the internet.
They’ve “uncovered concerning vulnerability” in 4 of 7 connected toys tested in a new ‘snapshot’ research project.
Vulnerability, for the purposes of their test, meant that a hacker could take control of the toy enough to speak to a child via a microphone or previously recorded voice message.
As a result of their findings, they’ve called for retailers across the UK to stop selling them until the safety issues are addressed, and asked manufacturers to take a look at their designs.
Here’s what you need to know…
Which connected toys posed a hacking risk?
Security experts have found that they could use widely-available software to hack into the MiSafes Kid’s Watcher Plus, change the assigned ID number, and access information including a photo of the child, their name, gender and date of birth, their height and weight, the parents’ phone numbers and the phone number assigned to the watch’s Sim card. They were also able to track the wearer’s current and past location, alter the safe-zone facility and ‘spoof’ a call to the device that appear to come from the child’s parents. The BBC were unable to get a statement from MiSafe.
According to the Which report, the I-Que Intelligent Robot and Furby Connect were 2 of the toys named in the report as having vulnerabilities, as were the Amazon-sold CloudPets and Toy-fi Teddy.
It would seem it’s the Bluetooth features that are often not secure, and is what hackers were able to use to gain access to the toy.
For the Furby Connect, this was only possible within a 10 – 30 metre Bluetooth range, but still allowed the hackers to play an audio file through the Furby. With the I-Que robot, hackers were able to start chatting through the robot, gaining access via Bluetooth and the toy’s app.
Which? also says they tested Wowee Chip, the Fisher-Price Smart Toy Bear and the Mattel Hello Barbie, too. They weren’t able to hack into these toys and speak to a child via any kind of voice message.
(They do report, however, that they were able to take remote control of the Wowee Chip dog).
What the toy manfuacturers say
Hasbro, the company behind Furby Connect, responded to the report by saying:
“While the researchers at Which? identified ways to manipulate the Furby Connect toy, we believe that doing so would require close proximity to the toy.
“And that there are a number of very specific conditions that would all need to be satisfied in order to achieve the result described by the researchers at Which?, including reengineering the Furby Connect toy, creating new firmware, and then updating the firmware, which requires being within Bluetooth range while the Furby Connect toy is in a ‘woke’ state…
“We feel confident in the way we have designed both the toy and the app to deliver a secure play experience.”
And Vivid Toys, which makes the I-Que Intelligent Robot, added:
“While it may be technically possible for a third party (someone other than the intended user) to connect to the toys, it requires certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it difficult for the third party to remotely connect to the toy…
“In conclusion, the connected toys distributed by Vivid, fully comply with essential requirements of the Toy Safety Directive and harmonised European standards and consider these product to be safe and for consumers to use when following the user instructions.”
(Spiral Toys, who make Toy-Fi Teddy and CloudPets, declined Which?’s request for comment.)
In summary: it takes a lot of effort, technical know-how and even close proxmity, to get inside the toy. But it is still possible…
What we think
Honestly, we know this sounds like scary stuff, but if you do have one of these toys in your house, we definitely don’t want you to panic. It’s just good to know what’s possible, right?
And, to be honest, what we’re hearing from Which? isn’t new, as there was lots of talk about the security of connected toys, particularly CloudPets, back in March 2017…
The CloudPets controversy
More than 820,000 user accounts were exposed when the popular CloudPets toys were hacked – meaning 2.2 million voice recordings, photos and personal info could have been accessed by anyone.
These internet-connected toys, as they’re known, generally seem pretty sweet.
Mum, dad, granny etc can use an app to record a message for their little one wherever they are in the world, and, in turn, your child squeezes their CloudPet’s paw to hear what’s been said.
But unfortunately – despite the toy being advertised as having built-in security – the info on nearly a million of the products wasn’t secure and the breach seems to have happened because the information was being held on an insecure server that required no authentication to access it.
While the situation has now been resolved, Spiral Toys who make the toys and are based in California, were required by law to notify users of the breach.
They have also asked parents to choose more secure passwords when they set the toys up.
This isn’t the first time such a security issue has occurred with toys connected to the internet.
The My Friend Cayla doll – which responds to your child’s questions using the internet – has been proved to be hackable, meaning unwelcome and uninvited ‘guests’ can listen in on your child and even leave them messages.
There was a such a storm over the dolls in Germany, in fact, that parents there have been advised to destroy them.
What should you do?
As more and more of these internet-connected products come out, it’s worth knowing that these security breaches are happening.
Troy Hunt, who owns a data-breach monitoring service, says, “There’s no doubt whatsoever in my mind that there are many other connected toys out there with serious security vulnerabilities in the services that sit behind them.”
Alex Neill, Which? Managing Director of Home Products and Services, adds: “Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution”
“Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold.”
So, if you do buy a toy like this for your child, it’s definitely worth being careful how much information about your child you upload. Consider turning off any camera and/or geolocation settings, if you’re not going to be using them. And, most importantly, make sure the device is secured with a really strong, unique password.