Parents, take note: Experts warn connected toys are vulnerable to hackers

NEW YORK -- Your smartphone or tablet is most likely pretty secure -- not perfect, maybe, but generally unlikely to be hacked or to store, say, your email where other people could read it.

See Full Article

The same can't be said for any Internet connected toys you may have purchased for your kids. Recently discovered security flaws in a pair of such toys highlight just how badly the toy industry has neglected such problems, theoretically exposing kids to online threats.

While major crimes teeming from the hack of a connected toy haven't yet surfaced, some experts argue that it's only a matter of time.

Kids "aren't expected to be Internet security experts and neither are their parents," said Tod Beardsley, security research manager for Rapid7 Inc., the Boston-based cybersecurity firm that published the toy-security research on Tuesday.

Rapid7 researchers examined the Fisher Price Smart Toy, an interactive stuffed animal for children aged three to eight that connects to the Internet via Wi-Fi. They also took a look at HereO, a recently launched GPS smartwatch that allows parents to track their child's location. In both cases, they found that the toys failed to safeguard children's information such as their names and in the case of the watch, their location, storing it on cloud servers in such a way that unauthorized people could access it by masquerading as legitimate users.

After researchers informed the manufacturers of the flaws, the companies quickly fixed the problems.

Mattel Inc., which owns the Fisher Price brand, released a statement Monday emphasizing that it has no evidence that anyone actually stole any customer information because of the flaw. Eli Shemesh, chief technology officer for Cyprus-based hereO, released a statement saying that security remains paramount for his company, adding that the security flaw was fixed quickly and before the watches started shipping to customers.

Those security problems are far from unique, said Mark Stanislav, Rapid7's manager of global services and the researcher who discovered the flaws. Reports of connected-toy vulnerabilities have been rife in recent months, a trend he expects to continue to worsen as more connected toys hit the market.

Toy makers need to be "building security in at the development phase," Stanislav said in a statement.

Like many connected devices, the Fisher Price toy runs a version of Google's Android operating system, the same software that powers many smartphones and tablets. Beardsley, however, said toy makers don't have the same commitment to security that a major tech company would have.

"I would be shocked if any Android-based toy didn't have any problems," he said. Apple, whose iPhones and iPads are the biggest rivals to Android devices, doesn't license its mobile software for use in toys.

Toy-related security problems began to grab headlines late last year, when kid's tech maker VTech announced that one of its databases had been hacked, exposing the names, ages and genders of more than 6 million children who used the company's toys.

As the number of connected toys continues to grow, so will the number of hackings, says Bridget Karlin, managing director of Intel Corp.'s Internet of things group. Intel's chips power a slew of connected devices, including a GPS smartwatch for kids, similar to the HereO, that's set to go on sale later this year.

Karlin says that while the odds of any particular toy being hacked may be very low, most of the attacks are random. That means building in security from the ground up, starting at the silicon level.

In the case of the Fisher Price toy -- which is sold as a stuffed bear, panda or monkey and retails for about $100 -- the researchers found that the toy's software and applications weren't appropriately verifying who was trying to access its information. That could theoretically expose a child's name, birthday, spoken language and gender.

Of course, those tidbits of information aren't necessarily secret. But hackers could theoretically amass enough of them to create a phishing scheme aimed at financial fraud or identity theft down the road. In theory, the information could also be used to pull off the abduction of a child, though experts say the chance of that remains slim.

The same flaw also could allow an attacker to effectively take control of the device to do things such as change the account information, or monitor whether a child is playing with it or if an adult is using the related mobile app, the researchers said.

The HereO smartwatch is marketed as a safety device for children aged three to 12 and creates a kind of social network that's restricted to invited family and friends.

The brightly-colored watch has both a cellular and GPS connection, allowing parents to monitor a child's location through a mobile app. Features include messaging, location alerts and a panic button. The watch, which costs $179 in the U.S. plus a $4.95 per month monitoring fee, recently started shipping to customers around the world.

Rapid7 says its researchers found a way attackers could trick the watch into adding them onto a given family's account. That would give them access to the entire family's location history and profile details and even the ability to message parents or their kids.



Advertisements

Latest Tech & Science News

  • SpaceX makes good on space station delivery a little late

    Tech & Science CTV News
    CAPE CANAVERAL, Fla. -- SpaceX made good on a 400-kilometre-high delivery at the International Space Station on Thursday, after fixing a navigation problem that held up the shipment a day. Everything went smoothly the second time around as the station astronauts captured the SpaceX Dragon cargo ship as the two craft sailed over Australia. Source
  • Climate change doubling size of northern lakes, pushing bison off habitat

    Tech & Science CTV News
    New research suggests that climate change has mysteriously caused lakes in a northern protected area to nearly double in size, forcing a herd of at-risk bison off some of their best habitat. Lakes in the Mackenzie Bison Sanctuary off the northwest shore of Great Slave Lake are now bigger than any time in at least the last 200 years, said Josh Thienpont, a University of Ottawa scientist and a lead author on th e paper, published Thursday in the journal Nature. Source
  • Canadian Wildlife Federation wants Ottawa to protect prairie grasslands

    Tech & Science CTV News
    The Canadian Wildlife Federation wants Ottawa to stop turning over community pastures to the Prairie provinces because of concerns it has about species at risk. In 2013, the previous Conservative government began a plan to transfer control of 900,000 hectares of community pastureland to Saskatchewan, Manitoba and Alberta by 2018. Source
  • Cool facts about 7 Earth-size planets circling single star

    Tech & Science CTV News
    CAPE CANAVERAL, Fla. -- Talk about an Earth-shattering discovery. Scientists have spotted seven Earth-size planets around a nearby star, some or all of which could harbour water and possibly life. That's the biggest cluster of planets like this yet to be found. Source
  • Apple 'spaceship' headquarters readies for boarding

    Tech & Science CTV News
    The process of moving more than 12,000 people to a new campus that Jobs envisioned as a "center for creativity and collaboration" was expected to continue late into the year. A theater on the new Apple Park campus was named in honor of Jobs, who would have turned 62 on Feb. Source
  • 'Scared to death:' Study finds Arctic killer whales intimidate narwhal

    Tech & Science CTV News
    A study has concluded that the increased presence of killer whales in Arctic waters is intimidating narwhal into drastically changing their behaviour. It's another symptom of how climate change is remaking the delicate northern environment. Source
  • 7 Earth-like planets found orbiting star 39 light-years away

    Tech & Science CBC News
    Scientists have discovered what looks the best place so far where life as we know it may exist outside our own solar system. Seven Earth-sized planets, all of which could contain water, have been found orbiting a small star 39 light-years away. Source
  • SpaceX delays delivery to International Space Station after navigation error

    Tech & Science CBC News
    A navigation error forced SpaceX to delay its shipment to the International Space Station on Wednesday, following an otherwise smooth flight from NASA's historic moon pad. SpaceX's supply ship, the Dragon, was less than a mile from the orbiting outpost when a problem cropped up in the GPS system. Source
  • New Apple headquarters to have theatre named for Steve Jobs

    Tech & Science CTV News
    CUPERTINO, Calif. -- Apple has announced that its new headquarters will open for employees in the spring and will include a theatre named for its late co-founder, Steve Jobs. Apple says in a news release on its website that the process of moving its 12,000 employees from its old digs in Cupertino, California, to the new Apple Park nearby will begin in April and will take more than six months to complete. Source
  • Tiny plastic particles from clothing, tires clogging oceans: report

    Tech & Science CTV News
    Invisible particles washed off products like synthetic clothing and car tires account for up to a third of the plastic polluting oceans, impacting eco-systems and human health, a top conservationist body warned Wednesday. Unlike the shocking images of country-sized garbage patches floating in the oceans, the microplastic particles that wash off textiles and roadways leave the waterways looking pristine. Source