Way back in the days when a TV and a telephone were considered luxuries, kids were easily entertained with stuffed animals that did not require batteries, Playdough, Slinkys, and the occasional, and sometimes amusing, chemistry set. Except in some isolated cases, and based on the fact that children were both smarter and better supervised, no one suffered major harm from these now antiquated and obsolete playthings.
Kids’ toys are far more sophisticated today, with designers cramming evermore-entertaining functionality into them. Heaven forbid any child should have so much as a teddy bear that does not access the internet in some way. And everything must have a camera and audio processing on board. Of course, all of the functionality, bells, and whistles come with an invisible price tag, one that could be very expensive.
For example, researchers at Context Information Security found vulnerabilities in a CloudPets, Bluetooth-enable Unicorn toy that allowed them to take control of the toy’s voice recording functionality. The CloudPets line employs Bluetooth Low Energy (LE) technology to communicate with a smartphone app, allowing users to record audio messages via phone and send it to the toy, or vice versa.
Essentially, this means that anyone who can access the toy via Bluetooth can upload a recording or better still, retrieve live and recorded audio information, turning the toy into a remote surveillance device. Bluetooth LE has a range of about 10 to 30 meters, therefore anyone positioned outside a house could connect to the toy inside.
The disclosure by Context follows a revelation by another researcher that Spiral Toys, the maker of CloudPets, exposed more than two million voice recordings of children and parents, as well as email addresses and passwords for more than 800,000 accounts. The recordings and data were stored in a publicly accessible database that wasn't protected by a password or placed behind a firewall.
Hopefully the toy makers of the world will wise up and put time-to-market rush schedules on the backburner and put security on the top of their to-do lists. Perhaps, they could build some defensive functionality into their toys. In the case of the Unicorn, integrate some voice and facial recognition plus some robotics. Should someone use the toy to learn when no one is home and break in, the toy could attack and subdue the invader; maybe shoot tranquilizer darts. No, that would be too much fun and at least one person would end up needing grief counseling. Back to the drawing board please. ~MD