Security risks in kids toys again this holiday season?
It seems like we cover this at least once a year, probably more: the state of cybersecurity for children’s toys. Given the holidays now upon us, I think it’s an appropriate time to check in again.
And the status is…sigh, really? More glaring vulnerabilities in smart toys that are going on the shelves this season. That includes some from VTech, which was the subject of our first article on this topic. I guess it’s not a huge surprise. Anyway, the main issues of concern stem from a lack of authentication measures, and, worse, lack of encryption.
Usually, smart toys will require authentication from any applications that try to connect to them. Obviously, the idea is to ensure the source attempting to connect is a trusted one, such as the child’s parent. Without this step, the door can open to malicious actors attempting to whatever is the toy’s function for their own ends, especially in ways that compromise the child’s safety. Considering their kids’ safety is a parent or guardian’s main priority, it’s especially important for a toy manufacturer to ensure. You can’t just have anyone able to stream songs through a kid’s karaoke microphone, or watch remotely activate a webcam in a stuffed bear.
Research testing from Which? and the NCC Group, however, demonstrated how one could easily connect to a walkie-talkie from VTech, for instance, without need of authentication. Any such device could be leveraged by a cyber attacker to target the child.
Then you have the issue of encrypted data, which, naturally, is a focus for us. In the research, this pertained primarily to online accounts registered for the toys in question, and included companies like Mattel and Spinmaster. Websites and forums for these accounts often lacked encryption measures, whether for the credential information or online activity. That all this data could be open to illicit prying eyes is pretty creepy.
I’m not sure what it will take for toy manufacturers like these to take cybersecurity for kids more seriously in their products. Not in a “use it as an excuse to overly clamp down on freedom of expression” way, but in a manner that actually does some good. Perhaps the only real solution is to incentivize companies to make solid security efforts, by having the alternative, remaining insecure, not perceived as the easier option.
Ultimately, if you are a parent or guardian, this holiday season make sure any smart toys your kids get are sufficiently secure when they connect online. Simply assuming they are is a mistake. As we can see, even companies who have had troubles in the past haven’t necessarily fixed all of the problems.