Parents, take note: Experts warn connected toys are vulnerable to hackers

NEW YORK -- Your smartphone or tablet is most likely pretty secure -- not perfect, maybe, but generally unlikely to be hacked or to store, say, your email where other people could read it.

See Full Article

The same can't be said for any Internet connected toys you may have purchased for your kids. Recently discovered security flaws in a pair of such toys highlight just how badly the toy industry has neglected such problems, theoretically exposing kids to online threats.

While major crimes teeming from the hack of a connected toy haven't yet surfaced, some experts argue that it's only a matter of time.

Kids "aren't expected to be Internet security experts and neither are their parents," said Tod Beardsley, security research manager for Rapid7 Inc., the Boston-based cybersecurity firm that published the toy-security research on Tuesday.

Rapid7 researchers examined the Fisher Price Smart Toy, an interactive stuffed animal for children aged three to eight that connects to the Internet via Wi-Fi. They also took a look at HereO, a recently launched GPS smartwatch that allows parents to track their child's location. In both cases, they found that the toys failed to safeguard children's information such as their names and in the case of the watch, their location, storing it on cloud servers in such a way that unauthorized people could access it by masquerading as legitimate users.

After researchers informed the manufacturers of the flaws, the companies quickly fixed the problems.

Mattel Inc., which owns the Fisher Price brand, released a statement Monday emphasizing that it has no evidence that anyone actually stole any customer information because of the flaw. Eli Shemesh, chief technology officer for Cyprus-based hereO, released a statement saying that security remains paramount for his company, adding that the security flaw was fixed quickly and before the watches started shipping to customers.

Those security problems are far from unique, said Mark Stanislav, Rapid7's manager of global services and the researcher who discovered the flaws. Reports of connected-toy vulnerabilities have been rife in recent months, a trend he expects to continue to worsen as more connected toys hit the market.

Toy makers need to be "building security in at the development phase," Stanislav said in a statement.

Like many connected devices, the Fisher Price toy runs a version of Google's Android operating system, the same software that powers many smartphones and tablets. Beardsley, however, said toy makers don't have the same commitment to security that a major tech company would have.

"I would be shocked if any Android-based toy didn't have any problems," he said. Apple, whose iPhones and iPads are the biggest rivals to Android devices, doesn't license its mobile software for use in toys.

Toy-related security problems began to grab headlines late last year, when kid's tech maker VTech announced that one of its databases had been hacked, exposing the names, ages and genders of more than 6 million children who used the company's toys.

As the number of connected toys continues to grow, so will the number of hackings, says Bridget Karlin, managing director of Intel Corp.'s Internet of things group. Intel's chips power a slew of connected devices, including a GPS smartwatch for kids, similar to the HereO, that's set to go on sale later this year.

Karlin says that while the odds of any particular toy being hacked may be very low, most of the attacks are random. That means building in security from the ground up, starting at the silicon level.

In the case of the Fisher Price toy -- which is sold as a stuffed bear, panda or monkey and retails for about $100 -- the researchers found that the toy's software and applications weren't appropriately verifying who was trying to access its information. That could theoretically expose a child's name, birthday, spoken language and gender.

Of course, those tidbits of information aren't necessarily secret. But hackers could theoretically amass enough of them to create a phishing scheme aimed at financial fraud or identity theft down the road. In theory, the information could also be used to pull off the abduction of a child, though experts say the chance of that remains slim.

The same flaw also could allow an attacker to effectively take control of the device to do things such as change the account information, or monitor whether a child is playing with it or if an adult is using the related mobile app, the researchers said.

The HereO smartwatch is marketed as a safety device for children aged three to 12 and creates a kind of social network that's restricted to invited family and friends.

The brightly-colored watch has both a cellular and GPS connection, allowing parents to monitor a child's location through a mobile app. Features include messaging, location alerts and a panic button. The watch, which costs $179 in the U.S. plus a $4.95 per month monitoring fee, recently started shipping to customers around the world.

Rapid7 says its researchers found a way attackers could trick the watch into adding them onto a given family's account. That would give them access to the entire family's location history and profile details and even the ability to message parents or their kids.



Advertisements

Latest Tech & Science News

  • Loosening offshore drilling rules is a risky proposal

    Tech & Science CBC News
    The Trump administration is proposing a bill to roll back restrictions on oil drilling in offshore waters along its coast, including the Arctic.This wipes out regulations that were put in place after the Deepwater Horizon disaster in the Gulf of Mexico. Source
  • Google parent turns on internet balloons in Puerto Rico

    Tech & Science CTV News
    MENLO PARK, Calif. -- Google's parent Alphabet Inc. said Friday that its stratospheric balloons are now delivering the internet to remote areas of Puerto Rico where cellphone towers were knocked out by Hurricane Maria. Two of the search giant's "Project Loon" balloons are already over the country enabling texts, emails and basic web access to AT&T customers with handsets that use its 4G LTE network. Source
  • When stars collide: How 4,000 scientists converged for an epic kilonova cram session

    Tech & Science CBC News
    more stories from this episodeGord Downie: Canada's friend, poet, advocate, rocker and neighbourhood goalieWhen stars collide: How 4,000 scientists converged for an epic kilonova cram session A remote First Nation is going to use drone delivery to cut the cost of groceriesCareful what you wish for: The perils of wooing AmazonSex, drugs and rock 'n roll: The life and times of Rolling Stone founder Jann WennerHRW Researcher: 'Afghan children recruited in Iran are fighting and dying in…
  • Feds: Right whales should remain on endangered list

    Tech & Science CTV News
    PORTLAND, Maine -- As the North Atlantic right whale nears the end of a year of dangerously high mortality, federal ocean regulators are calling for it to remain listed as endangered, according to a report released Friday. Source
  • Berry disappointed: Bear tries to eat fake fruit on Manitoba woman's door wreath

    Tech & Science CTV News
    STE. ANNE, Man. -- It would have been one berry disappointed bear. Kim Bouwman was sitting in her rural home Thursday in Ste. Anne, about 40 kilometres southeast of Winnipeg, when she caught something out of the corner of her eye. Source
  • Birds' beaks may evolve to better reach backyard feeders

    Tech & Science CTV News
    Britain's enthusiasm for backyard bird-feeding may have led some of the nation's feathered friends to evolve bigger beaks in just the past 40 years, researchers said Thursday. The report in the U.S. journal Science compared beak length among birds known as great tits in Britain and The Netherlands, where bird-feeders are less common. Source
  • Elon Musk's Boring Company gets tunnelling go-ahead in Maryland

    Tech & Science CTV News
    The governor of Maryland has announced his support for tunnelling by tech visionary Elon Musk’s The Boring Company, which could mark the first step toward an ultra-high speed Hyperloop system on the U.S. East Coast. Source
  • B.C. SPCA says noteworthy singing pig tips the scales in search of forever home

    Tech & Science CTV News
    VANCOUVER -- A pig with personality is searching for a forever farm after being seized during a cruelty investigation in British Columbia. The B.C. Society for Prevention of Cruelty to Animals says Lyle, a two-year-old black pig, was fearful and didn't want to be touched when he was taken into care in Metro Vancouver just over a year ago. Source
  • Nearly 200 report fireball streaking across Northeast sky

    Tech & Science CTV News
    SEA GIRT, N.J. - Nearly 200 people across the Northeast reported seeing a bright object streak across the sky. The American Meteor Society says the flash of light that was spotted on Wednesday afternoon in New Jersey, Pennsylvania, New York, Massachusetts, Connecticut, Rhode Island, New Hampshire, Maryland and Delaware was a very bright meteor. Source
  • Backyard chicken trend causes spike in infections, 1 fatal, CDC reports

    Tech & Science CBC News
    Luke Gabriele was a healthy 14-year-old football player in Pennsylvania when he began to feel soreness in his chest that grew increasingly painful. When his breathing became difficult, doctors detected a mass that appeared to be a tumour. Source