The Federal Bureau of Investigation has released an advisory warning parents regarding security concerns about “smart” toys.
The FBI warned that toys connected to the Internet “may contain parts or capabilities such as microphones, cameras, GPS, data storage and speech recognition that may disclose personal information.”
In February of 2016, toy manufacturer VTech carefully absolved themselves of blame for the future hacking of their children’s electronic toys. In April of this year, Germany banned the “Cayla” talking smart doll “were found to be transmitting audio recordings to a third party specializing in voice recognition for police and military forces.” The Bluetooth-enabled toy was built to answer questions using the Internet but collected identifying family information from its owners.
The FTC filed an official complaint about Cayla, claiming that its manufacturer violated the Children’s Online Privacy Protection Act (COPPA) by failing to take “reasonable security measures” to ensure the security of information that could only too easily be used to prey on children and their families. Kaspersky Lab Security Researcher David Emm explained that “concerns about the doll [center] mainly around privacy – the fact that secrets entrusted to the doll by a child could be accessed by a hacker.”
Even these two examples from the current and previous year are not the first time problems have arisen from poorly-secured electronic toys. In 2015, another security researcher by the name of Matt Jakubowski hacked a Hello Barbie, easily obtaining network names and identification.
He said that it was “easy” to then gain access to stored account information, audio files, and even the microphone of the toy itself. The vulnerability was only mitigated by the fact that Hello Barbie only records when a button is held down and that the audio sent to its ToyTalk servers is encrypted.
According to Jakubowski, “you can take that information and find out a person’s house or business,” and “it’s just a matter of time until we are able to replace their servers with ours and have her say anything we want.”