BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

FCC Votes To Restore Net Neutrality: A Win For Consumers And Democracy
An Ex-DOD Hacker Raises $20 Million To Stop ChatGPT-Fueled Cyberattacks
Tech Firms Pledge To Eliminate AI-Generated CSAM
Taser Company Axon Is Selling AI That Turns Body Cam Audio Into Police Reports
European Commission Launches Another TikTok Probe
Election 2024: Championing Proactive Cybersecurity To Fortify National Security
Edit Story
ForbesInnovationCybersecurity
Editors' Pick

Smart Toys Could Put Your Kids Safety At Risk This Xmas

Davey Winder
Senior Contributor
Opinions expressed by Forbes Contributors are their own.
Veteran cybersecurity and tech analyst, journalist, hacker, author
Following
This article is more than 4 years old.

New research suggests that children could be at risk from security flaws in smart toys this holiday season. An investigation by U.K. consumer advice organization Which? has revealed that toys purchased from major retailers could potentially allow a stranger to communicate with your child. The organization bought seven 'smart' toys and handed them over to the NCC Group, a specialist security lab, for testing. Some of the toys put to the test were aimed at children as young as three years old, according to Which? Yet they contained "various concerning issues that could potentially put children at risk," the report finds.

What stranger danger risks were found in the tested toys?

The smart toys were handed over to the NCC Group for lab testing, with a security assessment that focused on exploitable and design-based technical issues that were specific to the use of the toys by children themselves. It also investigated the confidentiality and integrity of any personal data captured by the toys.

"Across all seven toys, we found 20 noteworthy issues," the NCC Group said in a blog post. Perhaps the most serious of these was the lack of any secure authentication, such as a PIN code, for Bluetooth connectivity. Two of them in this category were karaoke toys, enabling anyone within a range of about 10 meters (10 feet) to connect anonymously and stream audio to the toy. It's worth bearing in mind that while the communication is one-way, the child would not be able to talk back, the stranger danger of someone being able to send messages like this cannot be stressed enough. "Imagine a scenario where someone connects to the toy and streams instructional or manipulative messages to a child," the NCC Group report stated, "such as asking them to go out to the front garden, as a precursor to an abduction attempt."

A pair of toy walkie-talkies that were tested also proved to be problematical. Again, there was no mutual authentication between the handsets. This time, though, the effective communication range was 150 meters (492 feet), meaning an attacker could be across the street or even on the other side of the park, for example. As long as they had purchased their own set of the toys, they would be able to engage in two-way conversations. The real-world playing out of this exploit is further restricted by the fact that to exploit the communication vulnerability, the attacker would need to pair the devices within a 30-second window of the child's set being switched on and paired. An unlikely scenario, I admit, but would you be happy taking any chances when it's your kids that are at risk?

Further details of the toys tested can be found in the Which? report, along with responses from the manufacturers.

MORE FOR YOU

‘Challengers’ Reviews: Does Zendaya Tennis Movie Score With Critics?

‘Baby Reindeer’ Star Says Real Martha Searches Need To Stop

Patriots Select North Carolina Quarterback Drake Maye With No 3 Pick In NFL Draft

What do security experts say about the smart toy risk?

"Today’s news that children’s karaoke and walkie-talkie toys, popular Christmas gifts and commonplace in children’s bedrooms, are hackable, enabling nearby strangers to potentially talk to children through them, or capture data from the devices, is incredibly concerning," David Emm, cybersecurity expert and principal security researcher at Kaspersky, said. Emm suggested "something stronger than a voluntary code of practice" is required when it comes to the protection of children.

"Children’s toys are often neglected with regards to the security conversation," Boris Cipot, a senior security engineer at Synopsys, said. "Before ordering a new smart device this holiday season for your child, or any family member for that matter, take into account the security impact the device can have and make security a part of your purchasing decision," Cipot said.

Given that research last year found that 90% of consumer Internet of Things (IoT) vendors didn't let security researchers report vulnerabilities, I can't say that I'm altogether surprised by the findings of the NCC Group testing. Shocked, as a parent and grandparent, but not surprised. Which? has a smart toy safety checklist for parents that details the things to be aware of before buying a connected toy for your children this holiday season. I heartily recommend you check it out before splashing your cash.

The U.S. Federal Trade Commission (FTC) has also just published advice for consumers regarding the questions that should be asked before buying internet-connected toys. The FTC recommends that consumers properly understand the smart toy’s feature set as well as both what information it will collect and how that data will be used.

Updated December 11 to add advice from the Federal Trade Commission

Follow me on Twitter or LinkedInCheck out my website or some of my other work here
Davey Winder
Davey Winder