THE BLOG

Toy Hacks: Another Example of Why Security Needs an Overhaul

10/12/2015 09:22 GMT | Updated 09/12/2016 10:12 GMT

As the Internet of Things (IoT) continues to grows, we start to see a new generation of connected devices, including kids' toys and accessories. From baby monitors that allow parents to watch their infants remotely, to smart talking dolls, which connect to a database to answer kids' questions, the same connectivity seen in adult gadgets is now reaching our children. But what happens when hackers gain access to that data?

Recently, a large Hong-Kong based toy manufacturer, that sells smartwatches and tablets aimed at kids, had personal information of millions of children stolen from its servers. The data theft became public after the hacker himself disclosed it. He claims his intent was simply to expose the manufacturer's weak defences and not to use the data. He allegedly obtained personal information from over 6 million kids, such as names, home addresses, emails, pictures, download histories and even conversations between parents and their kids.

In a separate case, a group of security researchers tested 9 different brands of baby monitors, only to find security issues in all of them. They approached manufacturers to give them an opportunity to fix the issues before exposing them. This comes after reports of baby cam hacks where attackers even used these device to talk to the children.

Well intended or not, just the thought of a stranger being able to see what our kids are doing is enough to concern any parent, and also highlights the dimension of the problem. Cybercriminals don't tend to publicly expose their methods and results, like these researchers did. But if researchers could access the data, there are no guarantees that attackers haven't done the same before the problems were fixed.

Having their data exposed at such young age may carry consequences into adulthood. Children's data are valuable: not only they have clean credit records, but also any fraudulent activities may go undiscovered for years. It may not be until those kids reach an age where they will actually need to open bank accounts, apply for student loans and search for jobs that they will learn about the fraud.

However, the problem is far beyond kids toys; it goes deeper into the roots of the IoT. This new generation of connected devices are mostly focusing on functionality and innovation, but not taking enough time to consider in depth the security risks and the data that could be exposed.

Manufacturers have not yet realised that as soon as they start to produce connected devices, they are no longer simply manufacturers; they are now also technology companies. With that in mind, security professionals should be a part of the product development team, implications should be discussed much earlier in the process and extensive testing should be done prior to release. Many of the vulnerabilities that researchers identified are rather basic, and could have been avoided. Although it is impossible to guarantee that any connected product is completely secure, manufacturers can minimise any risks by designing products differently, and thinking about security from the start.