Industry must take action to improve the safety of connected toys

null

From connected home assistants and smart meters to fitness wristbands and WiFi-enabled baby monitors, different Internet of Things (IoT) technologies are becoming more and more commonplace, with consumers gradually recognising the benefits of making every part of their lives ‘connected’ in some way.

There will be a staggering 20.4 billion connected business and consumer devices in use by 2020, according to Gartner. While all these connected devices can be incredibly useful, they can also leave users vulnerable to cyber-attacks.

Attack spreading like wildfire

Every device in the home that connects via Wi-Fi, Bluetooth or cellular networks is a potential vulnerability through which a hacker could gain access to your network. Even though the Wi-Fi connection might be password-protected - if a hacker is able to access a smart home device, or even a smart toy that is connected to it, they could then infiltrate data on the user’s smartphone or laptop. From there, they could steal sensitive files or hold applications and data hostage, demanding a ransom. A similar phenomenon crippled the NHS’s systems when the WannaCry ransomware attack spread across organisations worldwide last year.

Computers and smartphones are certainly not impenetrable, but they are generally developed for a purpose which makes built-in security paramount to their design; whether that’s storing information or conducting financial transactions. What’s more, additional security software is available, with updates regularly rolled out to ensure that operating systems are secure from potential hackers.

Unlike PCs and smartphones that have the benefit of over 10 years’ security innovation and evolution to fall back on, IoT devices are in their infancy. Some smart home products and connected toys aren’t designed to hold obviously sensitive data that a hacker would want to get hold of, so security standards on these devices are not yet fully formed. Furthermore, the industry is still developing and collating R&D to find the best ways of securing these devices, but not compromising on their functionality and ease-of-use.

The risks of connected toys

For makers of connected toys such as mini robots and smart teddies, security cannot be an afterthought. Not only could vulnerabilities in these devices leave home networks and personal data vulnerable to hackers it could also place children in physical danger. The most alarming scenario is that a hacker could potentially communicate with a child through an unsecured Wi-Fi or Bluetooth-enabled toy. This could quickly escalate into something even more sinister. The ability to intercept the cameras of microphones built into toys, retrieve photos and videos from devices, and even pinpoint the location of the device could put children at risk. While it’s far more likely that hackers would exploit security flaws to hack home networks, child safety remains a major concern.

A recent report from consumer watchdog Which? called for all connected toys with proven security or privacy issues to be taken off sale. The report revealed that a selection of connected toys, including the Furby Connect, I-Que Intelligent Robot, Toy-fi Teddy, and CloudPets cuddly toy all used unsecured Bluetooth connections, with no PIN code, password or any other authentication method needed to connect. And this isn’t the first time that concerns have been publicly raised over connected toys.

Time to take action

Last year, the My Friend Cayla doll ran into trouble when the German government’s telecoms watchdog branded it an ‘illegal espionage apparatus’. The German Federal Network Agency ordered parents to immediately stop using the doll and destroy its concealed microphone as it breaks German privacy laws. Concerns over the doll have also been raised in the U.S.

In another example of the security risk posed by connected toys, smart toy maker Vtech was recently fined $650,000 by the US Federal Trade Commission following a security breach that exposed the data of 6.5 million customers. While investigating the breach, the FTC found that the Chinese firm’s Kid Connect app, which is used with some of its connected toys, had collected personal information from children without providing direct notice and obtaining their parent’s consent, violating a U.S. children’s privacy law. It also failed to take reasonable steps to secure the data it collected.

Although these stories are worrying, they also suggest that regulatory organisations are slowly recognising the potential security risks. Growing concern over the safety of connected toys has already led the FBI to put out a public service announcement urging people to consider cyber security before introducing these products into their home. And in the UK, the Information Commissioner’s Office recently offered guidance on how parents could keep their children safe when buying connected toys. These are important early steps in addressing the issue, but more needs to be done.

What happens next?

The industry has been slow to push security standards for connected toys, and while agreeing on industry standards is never straightforward, they are vital to the safety and security of both parents and children as the trend gathers steam. The advice for consumers is to do their research, check out reviews on reputable websites and only buy products from trusted retailers and manufacturers, checking the specifications to ensure that they come with robust built-in security. They are also advised to speak to the manufacturer about their security policy and seek advice from their Internet Service Provider (ISP). However, consumers can’t be expected to shoulder all of the burden. It is the responsibility of the manufacturers and ISPs to ensure that this information is readily available, in an easily understandable form.

Companies must develop clear privacy policies to let parents know what data is being collected from connected toys and how it is being used. It’s also essential that they work with partners to create a secure network for their devices and ensure that firmware and software updates are rolled out regularly, and that essential security patches are made available as quickly as possible.

For enterprises, the connected toy saga is a cautionary tale as the security threats facing the highly connected organisations of the modern world increase every day. All it takes is one unsecured device to breach a network. While you can’t stop the attacks happening, what is possible is to mitigate threats early and prevent attackers from compromising network security, gaining access to data and files they shouldn’t do and overloading IT systems with traffic from infected devices. It’s time every company took a more proactive stance on security, from multinational enterprises to novelty connected toy makers.

It’s vital that organisations — including governments, regulators, manufacturers and ISPs — consider how they can work together to create an end-to-end infrastructure with industry-wide standards to ensure the safety and security of consumers in 2018 and beyond.

Srinivasan CR, Chief Digital Officer, Tata Communications
Image source: Shutterstock/everything possible