Parents, take note: Experts warn connected toys are vulnerable to hackers

NEW YORK -- Your smartphone or tablet is most likely pretty secure -- not perfect, maybe, but generally unlikely to be hacked or to store, say, your email where other people could read it.

See Full Article

The same can't be said for any Internet connected toys you may have purchased for your kids. Recently discovered security flaws in a pair of such toys highlight just how badly the toy industry has neglected such problems, theoretically exposing kids to online threats.

While major crimes teeming from the hack of a connected toy haven't yet surfaced, some experts argue that it's only a matter of time.

Kids "aren't expected to be Internet security experts and neither are their parents," said Tod Beardsley, security research manager for Rapid7 Inc., the Boston-based cybersecurity firm that published the toy-security research on Tuesday.

Rapid7 researchers examined the Fisher Price Smart Toy, an interactive stuffed animal for children aged three to eight that connects to the Internet via Wi-Fi. They also took a look at HereO, a recently launched GPS smartwatch that allows parents to track their child's location. In both cases, they found that the toys failed to safeguard children's information such as their names and in the case of the watch, their location, storing it on cloud servers in such a way that unauthorized people could access it by masquerading as legitimate users.

After researchers informed the manufacturers of the flaws, the companies quickly fixed the problems.

Mattel Inc., which owns the Fisher Price brand, released a statement Monday emphasizing that it has no evidence that anyone actually stole any customer information because of the flaw. Eli Shemesh, chief technology officer for Cyprus-based hereO, released a statement saying that security remains paramount for his company, adding that the security flaw was fixed quickly and before the watches started shipping to customers.

Those security problems are far from unique, said Mark Stanislav, Rapid7's manager of global services and the researcher who discovered the flaws. Reports of connected-toy vulnerabilities have been rife in recent months, a trend he expects to continue to worsen as more connected toys hit the market.

Toy makers need to be "building security in at the development phase," Stanislav said in a statement.

Like many connected devices, the Fisher Price toy runs a version of Google's Android operating system, the same software that powers many smartphones and tablets. Beardsley, however, said toy makers don't have the same commitment to security that a major tech company would have.

"I would be shocked if any Android-based toy didn't have any problems," he said. Apple, whose iPhones and iPads are the biggest rivals to Android devices, doesn't license its mobile software for use in toys.

Toy-related security problems began to grab headlines late last year, when kid's tech maker VTech announced that one of its databases had been hacked, exposing the names, ages and genders of more than 6 million children who used the company's toys.

As the number of connected toys continues to grow, so will the number of hackings, says Bridget Karlin, managing director of Intel Corp.'s Internet of things group. Intel's chips power a slew of connected devices, including a GPS smartwatch for kids, similar to the HereO, that's set to go on sale later this year.

Karlin says that while the odds of any particular toy being hacked may be very low, most of the attacks are random. That means building in security from the ground up, starting at the silicon level.

In the case of the Fisher Price toy -- which is sold as a stuffed bear, panda or monkey and retails for about $100 -- the researchers found that the toy's software and applications weren't appropriately verifying who was trying to access its information. That could theoretically expose a child's name, birthday, spoken language and gender.

Of course, those tidbits of information aren't necessarily secret. But hackers could theoretically amass enough of them to create a phishing scheme aimed at financial fraud or identity theft down the road. In theory, the information could also be used to pull off the abduction of a child, though experts say the chance of that remains slim.

The same flaw also could allow an attacker to effectively take control of the device to do things such as change the account information, or monitor whether a child is playing with it or if an adult is using the related mobile app, the researchers said.

The HereO smartwatch is marketed as a safety device for children aged three to 12 and creates a kind of social network that's restricted to invited family and friends.

The brightly-colored watch has both a cellular and GPS connection, allowing parents to monitor a child's location through a mobile app. Features include messaging, location alerts and a panic button. The watch, which costs $179 in the U.S. plus a $4.95 per month monitoring fee, recently started shipping to customers around the world.

Rapid7 says its researchers found a way attackers could trick the watch into adding them onto a given family's account. That would give them access to the entire family's location history and profile details and even the ability to message parents or their kids.


Latest Tech & Science News

  • Dinosaurs of a feather flocked together, University of Alberta study finds

    Tech & Science CBC News
    Bird-like dinosaurs were social creatures and likely flocked together, contrary to the popular image of dinosaurs as solitary creatures, suggests a study at the University of Alberta. "It changes our perception of the species quite a bit," said Gregory Funston, a PhD student and Vanier scholar at the University of Alberta. Source
  • Blurring effect comes to iPhone 7 Plus with software update

    Tech & Science CTV News
    NEW YORK - Apple's iPhone 7 Plus is getting a new camera capability -- the blurring of backgrounds to focus attention on people or other objects in the foreground. Apple's "portrait mode" feature was announced in September but was unavailable until the company released its iOS 10.1 software update Monday. Source
  • Feathered dinosaurs may have 'flocked' together like modern birds: study

    Tech & Science CTV News
    EDMONTON -- An ancient bone bed in a remote Mongolian desert presents tantalizing clues that dinosaurs of a feather may have flocked together for the same reasons modern birds do. Research by University of Alberta paleontologist Gregory Funston says the deposit contains fossils from a bird-like dinosaur that were all about the same age. Source
  • 'Intentional, malicious' cyberattack led to Ontario literacy test system crash

    Tech & Science CBC News
    The Ontario agency tasked with administering the first online literacy test to tens of thousands of high school students in the province last week says it was forced to pull the plug by an "intentional, malicious and sustained" cyberattack. Source
  • Heat-trapping gases surge in Earth's atmosphere: UN weather agency

    Tech & Science CTV News
    The World Meteorological Organization says heat-trapping gases in Earth's atmosphere are growing faster than before, surging permanently beyond a troubling milestone. The United Nations agency says global carbon dioxide levels, which first reached 400 parts per million last year, are likely to stay above that symbolic 400 milestone all year and for generations to come. Source
  • Ohio museum's sale of antiquities from Egypt draws criticism

    Tech & Science CTV News
    TOLEDO, Ohio -- Ohio's Toledo Museum of Art is selling 68 antiquities from its collection, a move drawing criticism from a nationally known archaeologist and Egyptian officials. The Blade newspaper reports about half the items are from Egypt. Source
  • SpaceX's Elon Musk elaborates on plan to colonize Mars

    Tech & Science CTV News
    SpaceX CEO Elon Musk has given more details about his plan to colonize Mars. Musk answered questions on Reddit on Sunday. The session was a follow up to Musk's comments at a space conference in Mexico last month during which he unveiled his plan to send up to 1 million people to Mars within the next 40 to 100 years. Source
  • Why robots are key to redefining the meaning of 'Made in China'

    Tech & Science CTV News
    BEIJING -- The Canbot can say its name, respond to voice commands, and "dance" as it plays Michael Jackson's "Billie Jean." Other robots China is displaying at the World Robot Conference can play badminton, sand cellphone cases and sort computer chips. Source
  • Univeristy of Maine professor dies conducting research in Antarctica

    Tech & Science CTV News
    ORONO, Maine -- A University of Maine professor has died while conducting research in Antarctica. The university says 50-year-old Gordon Hamilton died Saturday when the snowmobile he was riding hit a crevasse and he fell 100 feet. Source
  • Surfer is third Australian shark attack victim in a month

    Tech & Science CTV News
    SYDNEY, Australia -- A surfer sustained minor injuries on Monday in the third shark attack off New South Wales state north of Sydney in a month, a witness said. The surfer's injuries were "not that serious," former state lawmaker Ian Cohen told Australian Broadcasting Corp. Source