Parents, take note: Experts warn connected toys are vulnerable to hackers

NEW YORK -- Your smartphone or tablet is most likely pretty secure -- not perfect, maybe, but generally unlikely to be hacked or to store, say, your email where other people could read it.

See Full Article

The same can't be said for any Internet connected toys you may have purchased for your kids. Recently discovered security flaws in a pair of such toys highlight just how badly the toy industry has neglected such problems, theoretically exposing kids to online threats.

While major crimes teeming from the hack of a connected toy haven't yet surfaced, some experts argue that it's only a matter of time.

Kids "aren't expected to be Internet security experts and neither are their parents," said Tod Beardsley, security research manager for Rapid7 Inc., the Boston-based cybersecurity firm that published the toy-security research on Tuesday.

Rapid7 researchers examined the Fisher Price Smart Toy, an interactive stuffed animal for children aged three to eight that connects to the Internet via Wi-Fi. They also took a look at HereO, a recently launched GPS smartwatch that allows parents to track their child's location. In both cases, they found that the toys failed to safeguard children's information such as their names and in the case of the watch, their location, storing it on cloud servers in such a way that unauthorized people could access it by masquerading as legitimate users.

After researchers informed the manufacturers of the flaws, the companies quickly fixed the problems.

Mattel Inc., which owns the Fisher Price brand, released a statement Monday emphasizing that it has no evidence that anyone actually stole any customer information because of the flaw. Eli Shemesh, chief technology officer for Cyprus-based hereO, released a statement saying that security remains paramount for his company, adding that the security flaw was fixed quickly and before the watches started shipping to customers.

Those security problems are far from unique, said Mark Stanislav, Rapid7's manager of global services and the researcher who discovered the flaws. Reports of connected-toy vulnerabilities have been rife in recent months, a trend he expects to continue to worsen as more connected toys hit the market.

Toy makers need to be "building security in at the development phase," Stanislav said in a statement.

Like many connected devices, the Fisher Price toy runs a version of Google's Android operating system, the same software that powers many smartphones and tablets. Beardsley, however, said toy makers don't have the same commitment to security that a major tech company would have.

"I would be shocked if any Android-based toy didn't have any problems," he said. Apple, whose iPhones and iPads are the biggest rivals to Android devices, doesn't license its mobile software for use in toys.

Toy-related security problems began to grab headlines late last year, when kid's tech maker VTech announced that one of its databases had been hacked, exposing the names, ages and genders of more than 6 million children who used the company's toys.

As the number of connected toys continues to grow, so will the number of hackings, says Bridget Karlin, managing director of Intel Corp.'s Internet of things group. Intel's chips power a slew of connected devices, including a GPS smartwatch for kids, similar to the HereO, that's set to go on sale later this year.

Karlin says that while the odds of any particular toy being hacked may be very low, most of the attacks are random. That means building in security from the ground up, starting at the silicon level.

In the case of the Fisher Price toy -- which is sold as a stuffed bear, panda or monkey and retails for about $100 -- the researchers found that the toy's software and applications weren't appropriately verifying who was trying to access its information. That could theoretically expose a child's name, birthday, spoken language and gender.

Of course, those tidbits of information aren't necessarily secret. But hackers could theoretically amass enough of them to create a phishing scheme aimed at financial fraud or identity theft down the road. In theory, the information could also be used to pull off the abduction of a child, though experts say the chance of that remains slim.

The same flaw also could allow an attacker to effectively take control of the device to do things such as change the account information, or monitor whether a child is playing with it or if an adult is using the related mobile app, the researchers said.

The HereO smartwatch is marketed as a safety device for children aged three to 12 and creates a kind of social network that's restricted to invited family and friends.

The brightly-colored watch has both a cellular and GPS connection, allowing parents to monitor a child's location through a mobile app. Features include messaging, location alerts and a panic button. The watch, which costs $179 in the U.S. plus a $4.95 per month monitoring fee, recently started shipping to customers around the world.

Rapid7 says its researchers found a way attackers could trick the watch into adding them onto a given family's account. That would give them access to the entire family's location history and profile details and even the ability to message parents or their kids.



Advertisements

Latest Tech & Science News

  • New categories of dinosaur family tree proposed by scientists

    Tech & Science CBC News
    Some of the best-known dinosaurs, like Tyrannosaurus rex and Brontosaurus, may be headed for a divorce due to irreconcilable differences. Scientists on Wednesday proposed a radical overhaul of the dinosaur family tree first laid out in 1888, concluding after an analysis of 75 species that the meat-eating group that includes T. Source
  • Lip-reading program more accurate than humans could help hearing-impaired

    Tech & Science CBC News
    Lip-reading is a notoriously tricky task. But researchers at the University of Oxford in the U.K. have created a computer program called Watch, Attend and Spell to do just that. They claim their lip-reading algorithm is more accurate than human professionals. Source
  • Arctic sea ice at record low for third straight year

    Tech & Science CTV News
    Arctic sea ice is at a record low for the third straight year. The measurements from the U.S.-based National Snow and Ice Data Center say the ice reached its maximum extent on March 7. Source
  • Waste not on World Water Day: Bob McDonald

    Tech & Science CBC News
    This year's theme for the United Nations World Water Day is, "Why Waste Water?" As the world demands more and more of our most precious resource, and sources seem to be drying up, the UN says there is a huge untapped reservoir that could help to meet the demand: wastewater. Source
  • Google Maps to allow others to track your movements

    Tech & Science CTV News
    SAN FRANCISCO -- Google Maps users will soon be able to broadcast their movements to friends and family -- the latest test of how much privacy people are willing to sacrifice in an era of rampant sharing. Source
  • Earthquakes could cause Los Angeles area to sink abruptly: study

    Tech & Science CBC News
    The Big One may be overdue to hit California, but scientists near Los Angeles have found a new risk for the area during a major earthquake: abrupt sinking of land, potentially below sea level. The last known major quake on the San Andreas fault occurred in 1857, but three quakes over the last 2,000 years on nearby faults made ground just outside Los Angeles city limits sink as much as one metre, according to a study published Monday in the journal Scientific Reports. Source
  • Rusty-patched bumblebee first of species declared endangered in continental U.S.

    Tech & Science CBC News
    The rusty-patched bumblebee became the first officially endangered bee species in the continental U.S. on Tuesday, overcoming objections from some business interests and a last-minute delay ordered by the Trump administration. One of many bee types that have suffered steep population declines, the rusty-patched has disappeared from about 90 per cent of its range in the past 20 years. Source
  • Apple cuts prices on lower-end iPads, releases red iPhones

    Tech & Science CTV News
    NEW YORK - Apple is cutting prices on two iPad models and introducing red iPhones, but the company held back on updating its higher-end iPad Pro tablets. A much-speculated 10.5-inch iPad Pro didn't materialize, nor did new versions of existing sizes in the Pro lineup, which is aimed at businesses and creative professionals. Source
  • Israeli archeologists dig up liquor bottles of WWI troops

    Tech & Science CTV News
    JERUSALEM - In a search for antiquities, Israeli archaeologists have unearthed a far more modern find -- century-old liquor bottles that belonged to British soldiers in the First World War. The Israel Antiquities Authority said Wednesday it was excavating 250,000-year-old flint tools when the archaeologists stumbled upon hundreds of liquor bottles near a building where British soldiers were garrisoned in 1917. Source
  • Not my laptop! Airline passengers hit the device doldrums

    Tech & Science CTV News
    NEW YORK -- As the indignities of modern air travel go, the latest ban on laptops and tablets on some international flights falls somewhere between having to take off your ratty shoes at the security checkpoint and having your baby food and milk tested for bomb residue. Source