February 21, 2017

Forget books, time to burn the dolls

News Security Threats

Last week, a coworker shared an interesting article with me from the BBC. It reported that Germans were being told to destroy a connected children’s toy because of hacking concerns.

Forget books, time to burn the dolls

The Cayla dolls — the villains of the story — are toys equipped with a microphone, a speaker, and a Bluetooth transmitter. If a child asks a Cayla doll a question, it can connect to the Internet to find an answer. But in 2015, researchers found out that the unsecured Bluetooth module can be used by hackers to eavesdrop and spy on children and their parents. That’s why the German Federal Network Agency suggested that parents destroy those toys.

Destroying toys sounds extreme, especially considering that according to the BBC, British officials has a different view of the severity of the threat, with a U.K. based entity noting that the dolls “offer no special risk.”

In comparison, Jochen Homann of the German Federal Network Agency noted:

“Items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people’s privacy. This applies in particular to children’s toys. The Cayla doll has been banned in Germany. This is also to protect the most vulnerable in our society.”

Unfortunately, this is not the first time that concerns have come up about the toy, and similar complaints were voiced in the United States close to the holidays.

We talk a lot about how the IoT is lacking in security and how the IoT-fueled Mirai botnet wreaked havoc on some pretty big websites. We have also talked about how toymakers VTech and Hello Kitty, and even baby monitors, have put kids at risk with exploited devices and breaches — and then there was Hello Barbie, which could potentially be hijacked remotely.

It would be easy to vilify the company that makes the My Friend Cayla doll for the Bluetooth vulnerability, but I won’t this time. It won’t help. Instead I implore parents to think. Think before buying kids items that connect to the Web. Make sure that you know what you are giving up in terms of privacy and data.

We live in an online age: Everything is online, and we know there are places on the Web where you — or anyone — can view things like connected cameras.

It’s a parent’s responsibility to keep kids safe. Sure, a doll like Cayla sounds cool, but do you really want it to be spying on your family? Add to that a $50–$60 price tag, plus shipping, and you’re paying a lot to give up privacy.

This will not be the last case of a toy taking too much liberty with app controls and not enough care with security. So what should you do?

This is something that falls under individual preference, but here’s what I like to do when buying toys for my kids or looking at the gifts they receive on birthdays or Christmas:

  1. Decide if the device needs to be online. Usually this is a No for me, but there are some exceptions.
  2. Determine what the app/toy is looking to collect. Some of the sites that we have looked at that tie to our kids toys ask for frightening amount of info: birth date, address, name, sibling names, and geolocation, for example. Identity thieves salivate over this.
  3. See if you can change the default password of the device. Believe it or not, my kids got a toy that could project stories on the ceiling, but it also asked for you to remove Wi-Fi passwords from the network and also let it override your phone security settings because it could not store complex passwords.
  4. Decide your comfort level and if your kids really need the item.
  5. Remember that we are living in a digital age, and all devices and sites with valuable information are targets.
  6. Read reviews and look up security notes on the toy.

I follow all of the above when looking at devices for myself as well.

I see my role as a parent to be there to guide my kids in the right direction. Giving them something that can compromise them in the future does not tick that box. Sometimes we have to be the adults and realize that we are not always cool.