In an episode of “The Twilight Zone” called “Living Doll,” a lifelike doll named Talky Tina turned rogue and terrorized a family. This nightmare scenario of out-of-control toys is sometimes portrayed in sci-fi novels and films — but are we entering the Twilight Zone with modern-day smart toys?
The Internet of Things (IoT) is touching every aspect of our lives and work. Across our industries, the industrial version of the IoT (sometimes called the IIoT) is growing exponentially, with a predicted market value of over $232 billion by 2023. The consumer marketplace is also growing at pace, with a market worth of around $124 million in the same time span. With values like this, manufacturers are jumping on the IoT bandwagon and adding IoT components to everything from fridges to teddy bears.
The march of progress can be a wonderful thing. It’s exciting, and in the case of the IIoT can bring about improvements in productivity and help make communications smooth across complex global vendor networks. In the case of consumer IoT products, nothing is without its IoT version.
And one area that is embracing the Internet and adding more fun into our toys is the smart toy. Who wouldn’t want a smart teddy like “Smart ToyR” from Fisher-Price? The teddy can understand your child’s voice and respond to him or her in an intelligent way, making up stories and being a fun furry friend.
But is the promise of such clever toys too good to be true? Will the sweetness of that smart toy under the Christmas tree carry a sting in the tail caused by cybersecurity vulnerabilities?
When Good Toys Go Bad
The Federal Trade Commission (FTC) via the Children’s Online Privacy Protection Rule (COPPA) deals with the protection of personal information of children under 13 years of age. The first privacy case associated with a smart toy was brought to court in January 2018 under the COPPA rules.
CloudPets Go Ape
CloudPets definitely deserved the accolade of “super cute.” They were adorable soft toys and any kid (including big ones) would want to cuddle and play with them. The toy was Internet-enabled, allowing audio messages to be shared between the child and a parent via the Cloud. Unfortunately, poor security has meant that CloudPets are now in CloudPet heaven, as the company has ceased trading.
It turned out that CloudPets leaked the messages of 2 million of their owners, along with personal details and passwords. Security guru Troy Hunt alerted the world to the security issues of CloudPets. During research, Troy found that the CloudPets database was unprotected. Troy also found that various personal data, including children’s voice messages, were stored on an unprotected Amazon S3 bucket.
To be fair, where CloudPets did use passwords (e.g., in the app), hashing was used. However, the company had no password strength rules, allowing single character passwords and even promoting the use of simple 3-character passwords.
Kids’ Smart Watches — Not So Smart
Security firm Mnemonic was engaged by the Norwegian Consumer Council to check the security safety of a range of kids’ smartwatches. The analysis found a number of critical security flaws in a number of the watches.
Some of the main concerns included the evident lack of consent to share and process data, showing a fundamental lack of respect for personal information. Most of the watches analyzed collected, transmitted and stored large amounts of personal data, including location data. Some of the watches did not even use basic security techniques such as encryption in transit to protect these data — which were also often shared with third parties without consent or with the due diligence of their vendor security strategy.
Artificial Intelligence and Truly Smart Toys
There are, of course, ethical issues around the implementation of AI in our children’s toys. Questions around cognitive development and civil issues, for example: MIT is carrying out interesting work in the area.
Outside of ethical and behavioral issues, a further worry is the dovetailing of AI with security flaws, thus compounding the safety issues. Having natural language processing and machine learning to make toys even more realistic is a goal of manufacturers. This ultra-realism could potentially enhance and augment any security flaws. Imagine a malicious entity hacking a toy that was poorly-protected and talking to a child, with the child being unable to discern between the realistic toy conversation and that of the hacker.
Ethical Hacking Boot Camp — 93% Exam Pass Rate
What Is Being Done to Protect Our Kids?
Fortunately, there are initiatives afoot which are attempting to force manufacturers and toy designers to put security first. An FTC initiated working group is being run by the US Commerce Department’s National Telecommunications and Information Administration (NTIA). The group is working to develop guidance around securing IoT devices. In the EU, ENISA has produced guidance “Baseline Security Recommendations for IoT” developed for IoT devices within critical infrastructures but referencing smart toy security vulnerabilities such as the CloudPets example above.
Security is important to everyone and is a civil right, no matter what age you are. The design and development of Internet-connected smart toys should be a priority to ensure the cyber-safety of our children. Rushing out toys to take advantage of seasons like Christmas should not mean that security is an afterthought. We have a civic duty to ensure the safety and uphold the privacy of our children.
- By 2023, Size of Industrial IoT Market Will Grow USD 232.15 Billion and CAGR 8.06%: Zion Market Research, Zion Market Research
- IoT in Consumer Electronics Market Worth US $124 Billion by 2023 at 24.16% CAGR, MarketWatch
- Smart Toy, Fisher-Price
- United States of America versus VTech Electronics Limited and VTech Electronics North America, LLC, ftc.gov
- Data from connected CloudPets teddy bears leaked and ransomed, exposing kids’ voice messages, Troy Hunt Blog
- #WatchOut: Analysis of smartwatches for children, ForbrukerRådet
- Kids, AI devices, and intelligent toys, MIT
- Comment to National Telecommunications & Information Administration, ftc.gov