Parents, take note: Experts warn connected toys are vulnerable to hackers

NEW YORK -- Your smartphone or tablet is most likely pretty secure -- not perfect, maybe, but generally unlikely to be hacked or to store, say, your email where other people could read it.

See Full Article

The same can't be said for any Internet connected toys you may have purchased for your kids. Recently discovered security flaws in a pair of such toys highlight just how badly the toy industry has neglected such problems, theoretically exposing kids to online threats.

While major crimes teeming from the hack of a connected toy haven't yet surfaced, some experts argue that it's only a matter of time.

Kids "aren't expected to be Internet security experts and neither are their parents," said Tod Beardsley, security research manager for Rapid7 Inc., the Boston-based cybersecurity firm that published the toy-security research on Tuesday.

Rapid7 researchers examined the Fisher Price Smart Toy, an interactive stuffed animal for children aged three to eight that connects to the Internet via Wi-Fi. They also took a look at HereO, a recently launched GPS smartwatch that allows parents to track their child's location. In both cases, they found that the toys failed to safeguard children's information such as their names and in the case of the watch, their location, storing it on cloud servers in such a way that unauthorized people could access it by masquerading as legitimate users.

After researchers informed the manufacturers of the flaws, the companies quickly fixed the problems.

Mattel Inc., which owns the Fisher Price brand, released a statement Monday emphasizing that it has no evidence that anyone actually stole any customer information because of the flaw. Eli Shemesh, chief technology officer for Cyprus-based hereO, released a statement saying that security remains paramount for his company, adding that the security flaw was fixed quickly and before the watches started shipping to customers.

Those security problems are far from unique, said Mark Stanislav, Rapid7's manager of global services and the researcher who discovered the flaws. Reports of connected-toy vulnerabilities have been rife in recent months, a trend he expects to continue to worsen as more connected toys hit the market.

Toy makers need to be "building security in at the development phase," Stanislav said in a statement.

Like many connected devices, the Fisher Price toy runs a version of Google's Android operating system, the same software that powers many smartphones and tablets. Beardsley, however, said toy makers don't have the same commitment to security that a major tech company would have.

"I would be shocked if any Android-based toy didn't have any problems," he said. Apple, whose iPhones and iPads are the biggest rivals to Android devices, doesn't license its mobile software for use in toys.

Toy-related security problems began to grab headlines late last year, when kid's tech maker VTech announced that one of its databases had been hacked, exposing the names, ages and genders of more than 6 million children who used the company's toys.

As the number of connected toys continues to grow, so will the number of hackings, says Bridget Karlin, managing director of Intel Corp.'s Internet of things group. Intel's chips power a slew of connected devices, including a GPS smartwatch for kids, similar to the HereO, that's set to go on sale later this year.

Karlin says that while the odds of any particular toy being hacked may be very low, most of the attacks are random. That means building in security from the ground up, starting at the silicon level.

In the case of the Fisher Price toy -- which is sold as a stuffed bear, panda or monkey and retails for about $100 -- the researchers found that the toy's software and applications weren't appropriately verifying who was trying to access its information. That could theoretically expose a child's name, birthday, spoken language and gender.

Of course, those tidbits of information aren't necessarily secret. But hackers could theoretically amass enough of them to create a phishing scheme aimed at financial fraud or identity theft down the road. In theory, the information could also be used to pull off the abduction of a child, though experts say the chance of that remains slim.

The same flaw also could allow an attacker to effectively take control of the device to do things such as change the account information, or monitor whether a child is playing with it or if an adult is using the related mobile app, the researchers said.

The HereO smartwatch is marketed as a safety device for children aged three to 12 and creates a kind of social network that's restricted to invited family and friends.

The brightly-colored watch has both a cellular and GPS connection, allowing parents to monitor a child's location through a mobile app. Features include messaging, location alerts and a panic button. The watch, which costs $179 in the U.S. plus a $4.95 per month monitoring fee, recently started shipping to customers around the world.

Rapid7 says its researchers found a way attackers could trick the watch into adding them onto a given family's account. That would give them access to the entire family's location history and profile details and even the ability to message parents or their kids.



Advertisements

Latest Tech & Science News

  • Hope fading for whale beached in Newfoundland: 'Maybe it wants to die'

    Tech & Science CTV News
    HARBOUR GRACE, N.L. -- A stranded whale was freed by a rescue team in eastern Newfoundland on Monday -- only to beach itself again in Conception Bay near Harbour Grace. Wayne Ledwell of Whale Release and Strandings said his group was called to the community's harbour early Monday when residents spotted the adult minke whale in distress. Source
  • Hope fading for whale beached in Newfoundland: 'The animal may die here'

    Tech & Science CTV News
    HARBOUR GRACE, N.L. -- Hope was fading for a beached whale as night fell Monday on a small coastal community in eastern Newfoundland. Wayne Ledwell of Whale Release and Strandings said the adult minke whale had been freed Monday morning, but instead of heading for the open waters of Conception Bay, it turned around and was stranded again in shallow waters near the town of Harbour Grace. Source
  • Warned 30 years ago, global warming 'is in our living room'

    Tech & Science CTV News
    SALIDA, Colo. -- We were warned. On June 23, 1988, a sultry day in Washington, James Hansen told Congress and the world that global warming wasn't approaching -- it had already arrived. The testimony of the top NASA scientist, said Rice University historian Douglas Brinkley, was "the opening salvo of the age of climate change. Source
  • Critics question video game loot boxes, but industry says it's doing enough

    Tech & Science CTV News
    TORONTO -- "Loot boxes." Until recently, the only people likely to have heard of them were gamers. But loot boxes and other similar microtransactions in games are earning the industry billions of dollars, and they're now generating a new controversy in the mainstream. Source
  • Trump announces new U.S. military branch: 'Space Force'

    Tech & Science CBC News
    President Donald Trump announced Monday that he is directing the Pentagon to create the "Space Force" as an independent service branch. Trump said "we are going to have the space force" which he deemed a "separate but equal" branch of the military. Source
  • Waterloo 'ideas lab' startup lures president away from Dalhousie University

    Tech & Science CTV News
    HALIFAX -- The president of Dalhousie University has announced he's leaving the East Coast to lead a startup "ideas lab" in Waterloo's tech mecca. Dalhousie said Richard Florizone will be leading the new Quantum Valley Ideas Lab, a non-profit focused on quantum devices and their applications. Source
  • Research shows diet shift of beluga whales in Alaska inlet

    Tech & Science CBC News
    Beluga whales in Alaska's Cook Inlet may have changed their diet over five decades from saltwater prey to fish and crustaceans influenced by freshwater, according to a study by University of Alaska Fairbanks researchers. An analysis of isotopes in beluga bone and teeth showed belugas formerly fed on prey that had little contact with freshwater. Source
  • Canada temporarily shuts fishing areas to help right whales

    Tech & Science CTV News
    NEWPORT, Que. -- The Canadian government says it is taking steps to protect endangered North Atlantic right whales from encounters with fishing vessels and gear. The whales are one of the world's rarest marine mammals, and they have struggled with high mortality in recent years, especially in Canadian waters. Source
  • Expiring fish farm tenures could go month-to-month: Marine Harvest

    Tech & Science CTV News
    VANCOUVER - Twenty contentious salmon farms will remain in the troubled waters of the Broughton Archipelago for at least another two months. While some may be expecting the provincial government to either expel the farms or grant them permission to stay, when their tenures expire on Wednesday, the company that owns them said it's likely they'll continue operating on a month-to-month basis. Source
  • Why people are finding green crystals at Hawaii volcano site

    Tech & Science CTV News
    Molten lava, toxic gas and plumes of ash have been spewing out of Hawaii’s volatile Kilauea volcano since it began erupting in early May. But more recently, the sight of green 'gemstones' around the volcano site has caught residents by surprise. Source