Smart toys such as Furby Connect and My Friend Cayla have been making headlines over the past few years but for all the wrong reasons. UK consumer information organisation Which? warned of security vulnerabilities in the Furby Connect toy and Germany’s telecoms watchdog urged parents to destroy their Cayla talking doll, branding it an illegal surveillance device.
Does this mean it is best to avoid ‘smart’ or internet-connected toys altogether or are we throwing the talking baby doll out with the bath water?
Security expert Brian Honan says that when we panic about these toys we are missing the bigger picture: "What we need to consider is that the focus shouldn't just be on toys. Anything you can connect to the internet – an IoT [Internet of Things] device – is potentially vulnerable to attack."
“And it’s down to the vendors of those devices to ensure the appropriate security measures are built into their devices to keep them secure and protect the privacy of those who use those systems,” he says.
“There are two aspects to this. First is the security side of things: to ensure devices don’t get hacked and used for nefarious reasons, whether that is to eavesdrop on people, to steal personal data or use those devices to attack other systems like we saw last year with the Mirai botnet. This botnet hijacked thousands of internet-connected CCTV cameras, using them to launch a DDoS [distributed denial-of-service] attack against certain websites.”
Privacy
Then there is the privacy aspect, explains Honan. Manufacturers and vendors should be ensuring people’s privacy is protected. Whether you are talking to a smart speaker or Hello Barbie, a voice-activated device should not be listening in or recording unless you have activated it to do so.
Most of the controversy over smart toys has been related to fears of hacking. Less secure toys, as was the case with My Friend Cayla, used Bluetooth to connect the toy to the internet via a smartphone app and this pairing often didn’t include any form of authentication. This means that a nearby phone with the accompanying app could potentially pair with and communicate through or control the toy.
But why would anyone want access to a toy? What is the worst that could happen?
“It may become a treasured toy that a child takes with them everywhere and, depending on what the device does, criminals could potentially track the location of the toy and therefore the child. They may be able to remotely listen in to what the child is saying, maybe even interact with, talk to the child.
“If there’s video or picture capturing, they may be able to capture images of your child at play in the house or asleep in their bed. These are the absolutely worst-case scenarios. They could remotely wipe the device or hold it to ransom with ransomware and in order to get teddy or dolly working again you may have to pay a ransom.”
Ultimately, says Honan, criminals do these things as ways to make money and they will monetise information in whatever way they can so these are the motivations for hacking a smart toy.
Since examples of vulnerable smart toys began to emerge back in 2015 many toy manufacturers have been tightening up on data privacy and security but four years later the horror stories persist. While caution should be exercised across the board, in reality children have a far higher chance of encountering unsecured devices elsewhere in the home, be it a home voice assistant, smart television or simply through a tablet or smartphone.
For while the global smart toys market is expected to reach $24.65 billion (€22 billion) by 2025, the overall smart-home market is expected to grow from $76.6 billion (€68.5 billion) in 2018 to an impressive $151.4 billion (€135.3 billion) by 2024. In fact, by 2017, according to Gartner, there were already 8.4 billion IoT devices in use globally.
“We need better awareness amongst consumers so that they can discern the more secure options that they are going to buy, particularly when it comes to children. If you are going to buy a device for your child today you’re not going to go and buy a toy that has lead paint on it because, unlike 50 years ago, now we all know the dangers,” says Honan.
Safety checklist
Honan’s checklist for buying a safe smart toy includes: “The ability to change the default settings on the device – you should be able to change the default password. The manufacturer should also enable you to patch your device if a security bug is found in the software and it should be easy to update, not requiring you to send it back.
“Additionally, any communications and data across the internet should be using encrypted channels and there should be appropriate security and privacy measures put in place to protect that data wherever it is collected.”
This falls, of course, to the manufacturer rather than the end user and Toy Industries of Europe (TIE) is the trade association that promotes toy safety as the number one priority among its members, which include Lego, Mattel, Hasbro and Disney. In its almost 30 years of existence electronic toys have come a long way from the Tamagotchi and now reputable toy-makers need to bake in data privacy and protection.
"It was actually really good timing for the GDPR [General Data Protection Regulation] to come in when it did because it does have kid-specific rules," says Jennifer Pearson, senior policy and communications advisor at TIE.
“It was a moment for us to re-emphasise the importance of things like data minimisation, protecting data, and security by default and design. The GDPR is definitely one of the key pieces of legislation when it comes to smart toys and how they handle data storage and processing after the fact,” she says.
“An interesting thing about the toy sector is, more than many others, our success relies on trust from families. So, for those companies within our membership it’s really important to get it right when it comes to safety and now increasingly as play goes digital in terms of security and privacy.”
Pearson, however, feels that when it comes to securing networked playthings, having a toy-specific standard may not be useful because these toys, as soon as they are connected, become part of the Internet of Things and exist within a broader network upon whose security is also relies.
“We think that there should be kind of a uniform level of security across the board. When you look at router passwords where end users leave it to the default, for example, it’s those basic steps that secure the whole network that the toys is operating on as well.”
In terms of guidelines for these baseline standards, Pearson point to the recent publication of technical standards for consumer products from the European Standardisation Organisations. This, in conjunction with internal guidance being developed by TIE should go a distance towards bringing IoT devices, including toys, up to spec and eventually creating the data security equivalent of eradicating lead paint.
Cybersecurity Act
Additionally, with the forthcoming EU Cybersecurity Act there is a provision for IoT devices. Honan elaborates: "This is going to bring a whole certification scheme in for certain Internet of Things devices so they have to meet certain security standards. That's going to force those vendors who don't care about security to take security seriously.
“But unfortunately, at the moment we have a situation in the marketplace, whether it’s smart toys or smart kitchen appliances, responsible vendors and manufacturers choose to build good practice into their products but irresponsible vendors may not and therefore it’s not a level playing field. The onus is being left on the consumer to discern which products are more secure than others.
“As consumers expectations shouldn’t be on us to know all the laws that may apply to certain devices. We should be aware of our rights and our expectations when we buy something. As I said, if you buy a toy now it shouldn’t have lead paint or sharp corners. Likewise there should be appropriate warnings on any IoT device to say something along the lines of ‘What you say in front of this could be stored on our server’.”
Ultimately, while there is an onus on the consumer to be aware, industry and government need to help educate people on how to make smart choices so they can select the right smart toys. And for reputable toy companies, they are looking to design fun, appropriate and safe experiences, says Pearson.
“I think that’s important not to scare parents too much in terms of the connected toys that are out there. They should be cautious, they should take into account the basic security protocols when setting up a toy. But I don’t think it’s very helpful to just scare parents away altogether.”
Top 10 tips for buying safe smart toys
1: Always buy from a recognised and respected manufacturer.
2: Choose devices that allow you to change the default username and password.
3: Change the password to a strong password or passphrase.
4: Choose devices that allow you to disable any services and features you do not need.
5: Smart devices often come with services and features enabled by default, for example remote access and universal plug and play. If you don’t need it, disable it.
6: Select devices that allow you to configure the privacy settings, eg data collection or personalised ads to protect your privacy in a way that makes you feel comfortable.
7: If you need to connect to your device over the internet, ensure that it provides you in a secure, preferably encrypted manner.
8: Check if the device can be updated regularly and, ideally, automatically with the latest software and security updates.
9: If the toy uses Bluetooth to get connected, ask the vendor or manufacturer how it prevents unauthorised pairing from occurring.
10: Read the terms of service and find out if and how you and your child’s personal data may be used or stored.