Parents, take note: Experts warn connected toys are vulnerable to hackers

NEW YORK -- Your smartphone or tablet is most likely pretty secure -- not perfect, maybe, but generally unlikely to be hacked or to store, say, your email where other people could read it.

See Full Article

The same can't be said for any Internet connected toys you may have purchased for your kids. Recently discovered security flaws in a pair of such toys highlight just how badly the toy industry has neglected such problems, theoretically exposing kids to online threats.

While major crimes teeming from the hack of a connected toy haven't yet surfaced, some experts argue that it's only a matter of time.

Kids "aren't expected to be Internet security experts and neither are their parents," said Tod Beardsley, security research manager for Rapid7 Inc., the Boston-based cybersecurity firm that published the toy-security research on Tuesday.

Rapid7 researchers examined the Fisher Price Smart Toy, an interactive stuffed animal for children aged three to eight that connects to the Internet via Wi-Fi. They also took a look at HereO, a recently launched GPS smartwatch that allows parents to track their child's location. In both cases, they found that the toys failed to safeguard children's information such as their names and in the case of the watch, their location, storing it on cloud servers in such a way that unauthorized people could access it by masquerading as legitimate users.

After researchers informed the manufacturers of the flaws, the companies quickly fixed the problems.

Mattel Inc., which owns the Fisher Price brand, released a statement Monday emphasizing that it has no evidence that anyone actually stole any customer information because of the flaw. Eli Shemesh, chief technology officer for Cyprus-based hereO, released a statement saying that security remains paramount for his company, adding that the security flaw was fixed quickly and before the watches started shipping to customers.

Those security problems are far from unique, said Mark Stanislav, Rapid7's manager of global services and the researcher who discovered the flaws. Reports of connected-toy vulnerabilities have been rife in recent months, a trend he expects to continue to worsen as more connected toys hit the market.

Toy makers need to be "building security in at the development phase," Stanislav said in a statement.

Like many connected devices, the Fisher Price toy runs a version of Google's Android operating system, the same software that powers many smartphones and tablets. Beardsley, however, said toy makers don't have the same commitment to security that a major tech company would have.

"I would be shocked if any Android-based toy didn't have any problems," he said. Apple, whose iPhones and iPads are the biggest rivals to Android devices, doesn't license its mobile software for use in toys.

Toy-related security problems began to grab headlines late last year, when kid's tech maker VTech announced that one of its databases had been hacked, exposing the names, ages and genders of more than 6 million children who used the company's toys.

As the number of connected toys continues to grow, so will the number of hackings, says Bridget Karlin, managing director of Intel Corp.'s Internet of things group. Intel's chips power a slew of connected devices, including a GPS smartwatch for kids, similar to the HereO, that's set to go on sale later this year.

Karlin says that while the odds of any particular toy being hacked may be very low, most of the attacks are random. That means building in security from the ground up, starting at the silicon level.

In the case of the Fisher Price toy -- which is sold as a stuffed bear, panda or monkey and retails for about $100 -- the researchers found that the toy's software and applications weren't appropriately verifying who was trying to access its information. That could theoretically expose a child's name, birthday, spoken language and gender.

Of course, those tidbits of information aren't necessarily secret. But hackers could theoretically amass enough of them to create a phishing scheme aimed at financial fraud or identity theft down the road. In theory, the information could also be used to pull off the abduction of a child, though experts say the chance of that remains slim.

The same flaw also could allow an attacker to effectively take control of the device to do things such as change the account information, or monitor whether a child is playing with it or if an adult is using the related mobile app, the researchers said.

The HereO smartwatch is marketed as a safety device for children aged three to 12 and creates a kind of social network that's restricted to invited family and friends.

The brightly-colored watch has both a cellular and GPS connection, allowing parents to monitor a child's location through a mobile app. Features include messaging, location alerts and a panic button. The watch, which costs $179 in the U.S. plus a $4.95 per month monitoring fee, recently started shipping to customers around the world.

Rapid7 says its researchers found a way attackers could trick the watch into adding them onto a given family's account. That would give them access to the entire family's location history and profile details and even the ability to message parents or their kids.



Advertisements

Latest Tech & Science News

  • China announces goal to dominate AI field by 2030

    Tech & Science CTV News
    BEIJING -- China’s government has announced a goal of becoming a global leader in artificial intelligence in just over a decade, putting political muscle behind growing investment by Chinese companies in developing self-driving cars and other advances. Source
  • Cops wage psychological warfare against online drug bazaars

    Tech & Science CTV News
    HOUSTON - In an innovative blow to illicit internet commerce, cyberpolice shut down the world's leading "darknet" marketplace - then quietly seized a second bazaar to amass intelligence on illicit drug merchants and buyers. AlphaBay, formerly the internet's largest darknet site, had already gone offline July 5 with the arrest in Thailand of its alleged creator and administrator. Source
  • 'Blade Runner 2049,' 'Stranger Things' bring VR to Comic-Con

    Tech & Science CTV News
    SAN DIEGO -- Comic-Con visitors are getting more than an early look at anticipated movies and shows. They're going inside them with virtual reality. The studios behind "Blade Runner 2049" and "Stranger Things 2" have created temporary installations in downtown San Diego where fans can soar through the Los Angeles of the future in a Spinner ship from "Blade Runner 2049" or visit the Hawkins, Indiana, house where Will Byers lives in "Stranger Things. Source
  • Researchers in Cambodia find nest of endangered masked finfoot

    Tech & Science CTV News
    PHNOM PENH, Cambodia -- Wildlife researchers in Cambodia have found a breeding location for the masked finfoot, one of the world's most endangered birds, raising hopes of its continuing survival. The New York-based Wildlife Conservation Society said Thursday its scientists, along with conservationists from Cambodia's Environment Ministry and residents along the Memay river in the Kulen Promtep Wildlife Sanctuary, discovered the only confirmed breeding location in Cambodia for the very rare…
  • Vancouver Port to lead study to probe effects of ship noise on killer whales

    Tech & Science CTV News
    VANCOUVER -- A program led by the Vancouver Fraser Port Authority will examine how endangered southern resident killer whales respond to slower vessel speeds and reduced underwater noise in a key summer feeding area off southern British Columbia. Source
  • Cash to protect forests: Pilot program in Uganda finds it works

    Tech & Science CBC News
    As environmentalists debate how best to preserve the world's dwindling forests, a study published on Thursday offered a simple solution: pay land owners in poor countries not to cut down the trees. Deforestation dropped by more than half in Ugandan villages where land owners were paid about $28 per hectare each year if they preserved their trees, according to the study from U.S. Source
  • Musk says government likes plan for high-speed tunnels

    Tech & Science CTV News
    DETROIT -- In a tantalizing Tweet, Elon Musk says he has "verbal government approval" to build a tunnel for high-speed transportation from New York to Washington. The billionaire entrepreneur didn't say who gave him the approval. Source
  • Google Street View finally captures missing Austria

    Tech & Science CTV News
    Google's Street View cars on Thursday started taking images in Austria, the only EU country along with Germany to remain largely absent from the popular online service showing 360-degree pictures of places around the world. Source
  • Canadian researchers develop technology for self-driving wheelchairs

    Tech & Science CTV News
    TORONTO - A team of Canadian researchers and robotics experts say they've developed cost-effective technology that would allow power wheelchairs to drive themselves. Toronto-based Cyberworks Robotics and the University of Toronto have applied the same principles at work in self-driving cars, saying using similar types of sensors on motorized wheelchairs can allow the mobility aids to dodge obstacles and travel routes without assistance from the user. Source
  • Fear of predation may be enough to push small groups of animals to extinction

    Tech & Science CBC News
    Fear of predation may play a role in pushing small populations of vulnerable species to extinction, a new Canadian study has found. That could have implications for almost any species that is prey, but particularly for some migratory bird species that are at risk, according to Ryan Norris, an ecologist and research chair at the University of Guelph in Guelph, Ont. Source