The Internet of Toys. Is Barbie Spying on You?

Photo by  Daniel Cheung  on  Unsplash

Photo by Daniel Cheung on Unsplash

By Mark Gibbs

I just received a review sample of a toy that is—and this is not a word I use lightly—awesome. It's the Cozmo, a small robot that is just amazing. Here, watch the video:

Isn't that adorable? But at its current price of $179.99, it's a bit pricey to be a toy for the Duplo set. In reality, Cozmo is more suitable for a STEM-oriented teen (or nerdy adult) because while it has a lot of functionality out of the box via a smartphone app, it's also programmable. The vendor, Anki, provides a complex SDK with support for integration of third-party APIs such as Twitter, Hue, and IFTTT. To get an idea of the technology involved in this product, check out this video of a tear-down:

Cozmo's onboard smarts can detect edges (it—mostly—manages not to plummet from tables), visually detect objects, and even recognize faces. In short, it's way cool and emblematic of the toys of the future which will be smart, very complicated, and, unless manufacturers get their **** together, major security risks.

The thing about "smart" toys—that is, toys that combine computer technologies with an array of sensors to deliver what I'm sure marketers must call something like "an enhanced pre-adult play experience"—is that they mostly aren't standalone; they rely on backend services that issue software updates and or enable and extend the toy's functionality.

This architectural complexity is all well and good for making the toy have a gee-whizz factor but that'll only last until there's a breach either at the toy end, compromising only the security and privacy of the owner, or at the back end, potentially compromising every owner of that particular toy. Add to that naïve end users who don't understand the risks involved plus all of the potential entry points via third party services and you've got an enormous attack surface for the bad guys to exploit.

Photo courtesy of Mattel.

Photo courtesy of Mattel.

Consider Hello Barbie, a version of Mattel's Barbie product family (Hello Barbie is available online but curiously, not from Mattel) that children can talk to and which will respond with synthesized speech. The doll is Wi-Fi enabled and within days of its release in 2015, was found to have a serious vulnerability. According to The Guardian:

… US security researcher Matt Jakubowski discovered that when connected to Wi-Fi the doll was vulnerable to hacking, allowing him easy access to the doll’'s system information, account information, stored audio files and direct access to the microphone.

Jakubowski told NBC: "You can take that information and find out a person’s house or business. It’s just a matter of time until we are able to replace their servers with ours and have her say anything we want."

Potentially you could also use a hacked smart toy for other purposes. For example, last October, a distributed denial of service (DDoS) attack was launched against Dyn, a company that provides DNS resolution services to many large organizations. This attack, one of the largest DDoS attacks we've seen so far, lasted for hours, made thousands of Web sites inaccessible, and cost millions of dollars in lost sales and remediation efforts. What was different about this attack was that it was mounted using a botnet of tens of thousands of subverted smart devices such as video cameras, video recorders, and televisions. How? By exploiting the fact that many end users don't bother to change the default passwords on these types of devices. They then connect these devices to the Internet, leaving themselves vulnerable to the first hacker who comes along.

So, how bad is this end user problem? Last year the security company ESET surveyed 12,000 home routers, the first and usually only line of defense for most consumers, and found that at least 15% were not secured; so in that sample alone, there were 1,800 vulnerable devices and that's just routers. As smart toys proliferate along with remote backend services to support them, we have to be very careful in what we allow into our homes.

But that's not all of the risks that can come with smart toys and this is a serious enough concern that the FBI issued a public service announcement: CONSUMER NOTICE: INTERNET-CONNECTED TOYS COULD PRESENT PRIVACY AND CONTACT CONCERNS FOR CHILDREN. The FBI is warning parents that these smart toys can easily invade the privacy of your family by doing one or more of the following: Collect usage data, find your geographic location, discover family names, track your interests, take photos, record audio, … in other words, your family could be tracked at an unacceptable level of detail.

The FBI's announcement finishes with a list of things parents should do such as "Research the toy’s Internet and device connection security measures" which the vast majority of parents not only won't do but most likely wouldn't really understand if they did. In this list the FBI also recommends one thing that, in reality, almost no one does: Read the toy's End User Licensing Agreement as well as the vendor's privacy policy, and any other disclosures.

So, bottom line: Smart toys are going to be everywhere and unless we get some serious privacy laws and effective consumer protections in place, your family will be tracked, measured, categorized, bought, sold, and your privacy shredded while, at the same time, quite possibly getting hacked. Unfortunately, the probability of any kind of meaningful laws being passed is close to zero given the technical complexity involved and the speed of innovation but you, as a consumer and business person who is aware of the issues of InfoSec can do something: Start talking to your associates, friends, and families so they are at least aware of the issues involved with smart toys.

Now, you'll have to excuse me, I must get back to my Cozmo … I think it just learned a new trick. How cute is that?!

In my next post, what does a cyber-attack really cost?

About Mark Gibbs

Mark is the author of four best-selling computer networking book titles and was a syndicated journalist and columnist for 24 years writing for Network World, Computer World, and other IDG publications. 

More About Mark