Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

This is why tech toys are dangerous

Mike Elgan | Dec. 8, 2015
Suddenly, children's toys are a hacking risk. Here's what you need to know this holiday season.

The worst-case scenario is that VTech's bad policies and security infrastructure enabled predators to commit horrible crimes against children.

Not the only risk out there

Think of the VTech hack as a wake-up call. An increasing variety of toys and children's products are networked computers. In many cases, these toys do what traditional toys do, which is enable children to mimic adult behavior. But unlike, say, the Easy Bake Oven or a toy truck, today's toys pretend to be laptops, smartphones and other gadgets that children see their parents obsessing over.

Even traditional toys are getting Internet connections.

The most spectacular case this holiday season is Mattel's hot-selling Hello Barbie doll.

hellobarbie
Hello Barbie enables children to chat with an artificial intelligence program in a remote data center.

Hello Barbie can engage in conversations with children. The doll connects to home Wi-Fi and works more or less like Apple's Siri. Kids ask questions (after pressing a button on the doll), and their voices are recorded, compressed and sent to remote servers run by a San Francisco company called ToyTalk, where artificial intelligence software processes the words, comes up with a response and sends it back to the doll over the Internet.

A smartphone app enables parents to see the conversations between their child and Hello Barbie; it also deletes them. The data is stored on the phone, which connects to Hello Barbie as if the doll were a home Wi-Fi hub.

While the Hello Barbie app provides parental control and peace of mind, it has also been the source of criticism over the product's security.

Security experts have reported that the Hello Barbie app connects to any Wi-Fi hub with "Barbie" in the name, and so malicious hackers could spoof the doll, connect to the phone and gain access to the data stored by the Hello Barbie app.

While the data passed between server, doll and app uses certificate-based encryption, the methods used by ToyTalk are not secure. For example, all Hello Barbie doll apps reportedly use the same hard-coded password to verify the certificate.

And the Hello Barbie system has been found to be riddled with other security holes as well.

Mattel and ToyTalk have reportedly been very responsive to reports of security vulnerabilities and have rapidly addressed many or all of them.

Here's the real takeaway from the security controversies around Hello Barbie: Because Barbie is an iconic brand, and because the toy is popular and is also being widely reported on, the product is getting massive scrutiny. Hello Barbie is an exception to how toy security is normally handled.

So while the public is super concerned about Hello Barbie, and the companies involved have been impressively responsive to those concerns, thousands of other toys are coming out under the radar. Those are the toys that pose real security threats. They're not being scrutinized like Hello Barbie, and the companies that make them aren't fixing the potential security problems.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.