Increasingly popular under our Christmas trees, smart toys are on the gift list of our dear children, eager for connected gadgets, replacing the traditional doll or teddy bear. However, like other connected solutions, they are also very vulnerable. In recent years, European and American consumer associations have revealed several cases of negligence of the manufacturers. By connecting via Bluetooth, using a simple smartphone, hackers can communicate through toys. They can then retrieve information and speak directly with your child.
As an example, in 2015, Mattel wanted to launch a connected Barbie, the Hello Barbie. For this project, she had worked with ToyTalk, a company that develops speech recognition software. In order to be able to chat with the connected toy, the child has to hold a button while talking. The audio file is then sent to the company’s servers, which send back a reply through the doll’s speaker. An American computer security researcher, Matt Jakubowski, had claimed that he could enter the software and take control of the microphone, and then speak directly to the doll’s owner…
Some government agencies have responded by banning the marketing of toys that are considered very vulnerable. In 2017, the German telecoms regulator, the Bundesnetzagentur, announced a ban on intelligent watches for children. The agency announced that it considered these watches to be spy devices and asked parents to destroy them. In the same year, the Commission nationale de l’informatique et des libertés (CNIL) had issued a formal notice to Genesis Industries Limited, creator of My Friend Cayla and the robot I-Que, for “serious invasion of privacy due to a security flaw“. The Norwegian Consumer Council had also denounced the advertisements hidden in the system that equips My Friend Cayla.
A few basic computer hygiene rules can limit the risk of a cyber attack on connected toys. The simplest way to do this is to secure the home network by separating it into a separate network. It is recommended to keep sensitive data on a separate system from other IoT devices. Another recommendation is that individuals should systematically change the passwords installed “by default” on all connected devices on the market, including strong passwords (e.g. 16 characters) and change them on a regular basis. It is also recommended to ensure that mobile applications associated with such devices do not have the necessary authorizations that would allow them to collect our personal information in an abusive manner. Similarly, it is strongly advised to update the connected objects on a regular basis.
The French National Commission for Information Technology and Freedom (CNIL) has recently published on its website a series of recommendations to be implemented to protect children’s privacy and make parents aware of the inherent risks. In view of the interest of large multinationals in connected objects aimed at the youngest children and the security loopholes revealed, there seems to be greater fear of manipulation of children’s data for commercial purposes rather than espionage.