THE BLOG
20/12/2017 16:42 GMT | Updated 20/12/2017 16:42 GMT

Don’t Panic! Your Children’s New Connected Toy Is Unlikely To Be Hacked This Christmas

Children are going to grow up in a world where the IoT devices are as routine to them as televisions

Are so-called ‘smart’ toys really a danger to your children? Recently, I’ve had a number of worried parents ask me whether it is actually safe to buy any of the exciting, new connected toys that have come on the market in the last year as they’ve heard a fair few horror stories in the media. As many of these toys are topping the wish lists being sent to Santa this year, it’s not surprising that parents are concerned.

Earlier in the year, the German authorities actually banned one of these toys. ‘My Friend Cayla’, a doll with a built-in microphone, concerned the Federal Network Agency so much that they not only barred them from being sold, as they were classed as a ‘hidden espionage device’, they also effectively ordered parents who had bought one to destroy it. A Which? Magazine report out last month found that many of this Christmas’ most popular children’s toys were vulnerable to hacking – their experts consequently called for all retailers across the UK to stop selling these toys until any safety issues were addressed.

The consumer watchdog identified security issues in four out of seven toys tested, including Furby Connect, I-Que Intelligent Robot, Toy-fi Teddy, and CloudPets cuddly toys. These toys allow parents – and potentially other adults too – to take control of the toy remotely and communicate with the child. With each of these toys, the Bluetooth connection had not been secured, meaning Which? researchers did not need a password, PIN or any other authentication to gain access. All they had to do was to connect to the device with any Bluetooth-enabled device and they were able to manipulate the toys.

So what are you supposed to do if your child really, really wants a ‘Hello Barbie’ this Christmas, just like all her friends at school?

The truth is that we are all living increasingly connected lives, and it’s not just smart toys that are potentially vulnerable to hackers. I predict that this Christmas is the first one where we will see a significant increase in the number of new, connected devices enter our homes. From AI voice assistants - such as Amazon Echo and Google Home Hub - to smart wireless speakers, clocks, baby monitors, lights, doorbells, CCTV cameras, windows, cooking utensils and even pet feeders. A number of these Bluetooth and internet-connected devices will, unfortunately, also be easy to exploit by hackers. This, it seems, is currently the price we pay for embracing the next technological advances, in exchange for the delivery of new, exciting, personalised and educational experiences that enhance all our lives in many ways. Manufacturers need to be the first to market, and taking time to implement effective security controls in their devices seemingly takes a back seat as they rush to get their products onto the shelves. We know that there are a significant number of devices out there that have shoddy security measures – if, indeed, there have any security measures at all.

When it comes to our children, however, it’s understandable that parents want to be extra cautious. With all the scaremongering going around about these vulnerable smart toys, I can see how parents could easily dismiss them as a no-go this Christmas, regardless of whether their children desperately want one or not. But let’s just review a few facts before you make that final decision.

Yes, professional cyber security researchers have been able to successfully compromise some of these new connected toys on the market. But these tests have been effectively undertaken under laboratory conditions. One toy – Hasbro’s ‘Furby Connect’ – was examined by security company Context Research and, indeed, their team found a vulnerability that could be used to modify the device through the built-in Bluetooth connection. It’s a great piece of research that highlights how security flaws can be identified and exploited.

But should you be worried if you have a Furby Connect? Whilst the flaw does indeed exist, to take advantage of it you will need to not only understand how to modify the Downloadable Content (DLC) files for the device, you also need to be within Bluetooth range to be able to attack it – which means being at least within 100 metres of the toy (and, if you’ve ever tried to connect to anything via Bluetooth, you’ll know that you really need to be very close indeed to the item in question). Can a Furby Connect be attacked? Yes. Should the manufacturer have picked up on the vulnerability? Yes. Is your Furby Connect likely to be attacked by hackers from all over the world? No.

Whenever you read an article about security flaws in connected devices – whether they be toys, cars or curling tongs - you need to keep in mind that these pieces are effectively free publicity for the company or individual who finds the flaw. It matters little if the scenario required to undertake the attack is realistic or not. For example, at least once a year there will be a news story about how a security researcher thinks they could hack an airliner whilst in flight. It matters little that the method of undertaking the attack is, at best, theoretical – what does matter is that it generates headlines. And the media loves horror stories about technology.

It’s predicted that within the next decade your house will have a minimum of ten active ‘Internet of Things’ (IoT) devices. Moreover, children are going to grow up in a world where the IoT devices are as routine to them as televisions were to me when I was a lad. The main role of parents is to prepare children to live in the world they will inhabit, and early access to education is, you have to admit, no bad thing.

So if you are considering buying that smart toy for your little one this Christmas, there are some simple precautionary steps you can take to give you piece of mind;

· Buy reputable brands – they are more likely to have been tested than the cheap knock-offs.

· Keep your Wi-Fi connection secure by changing the default passwords issued to you by your broadband provider, and update your router to the latest firmware version (your provider should be able to guide you).

· Don’t sign up to the apps that accompany these devices using your real name and address – the same goes for your email. You’ll potentially save your personal details from exposure, and you’ll certainly reduce the amount of spam email you get from the manufacturer!

· Always supervise your child when they are using internet-connected devices. Turn them off when not in use (be wary of devices that still connect even when the toy is apparently turned off). Just like a laptop or phone, covering the lens of any camera on the device when it’s not required is a good idea.

· Do your research. There are many people out there who will do the boring work of sifting through End User License Agreements for ‘gotchas’ so you don’t have to. Similarly, take notice of any publicised flaws in these devices (but remember that just because a security hole exists, it doesn’t mean that anyone can exploit it).

The next generation of IoT toys are possibly the most sophisticated ever designed. These digital toys and devices come with a lot of benefits for youngsters and adults alike. Baby monitors with built-in cameras allow you to keep an eye on your child from anywhere and GPS trackers help you find lost tots. Smart Teddy will not only enable you to check your kid’s temperature and heart rate instantly, but also record your child’s first ever words. Manufacturers will get better at securing these devices, because the public will demand they do so - as the saying goes, vote with your wallet.