Industry must take action to improve connected toy security – part 1

From connected home assistants and smart meters to fitness wristbands and Wi-Fi-enabled baby monitors, different Internet of Things (IoT) technologies are becoming more and more commonplace, with consumers gradually recognising the benefits of making every part of their lives ‘connected’ in some way.

There will be a staggering 20.4 billion connected business and consumer devices in use by 2020, according to Gartner. While all these connected devices can be incredibly useful, they can also leave users vulnerable to cyber-attacks.

Attack spreading like wildfire

Every device in the home that connects via Wi-Fi, Bluetooth or cellular networks is a potential vulnerability through which a hacker could gain access to your network. Even though the Wi-Fi connection might be password-protected – if a hacker is able to access a smart home device, or even a smart toy that is connected to it, they could then infiltrate data on the user’s smartphone or laptop. From there, they could steal sensitive files or hold applications and data hostage, demanding a ransom. A similar phenomenon crippled the NHS’s systems when the WannaCry ransomware attack spread across organisations worldwide last year.

Computers and smartphones are certainly not impenetrable, but they are generally developed for a purpose which makes built-in security paramount to their design; whether that’s storing information or conducting financial transactions. What’s more, additional security software is available, with updates regularly rolled out to ensure that operating systems are secure from potential hackers.

Unlike PCs and smartphones that have the benefit of over 10 years’ security innovation and evolution to fall back on, IoT devices are in their infancy. Some smart home products and connected toys aren’t designed to hold obviously sensitive data that a hacker would want to get hold of, so security standards on these devices are not yet fully formed. Furthermore, the industry is still developing and collating R&D to find the best ways of securing these devices, but not compromising on their functionality and ease-of-use.

The risks of connected toys

For makers of connected toys such as mini robots and smart teddies, security cannot be an afterthought. Not only could vulnerabilities in these devices leave home networks and personal data vulnerable to hackers it could also place children in physical danger. The most alarming scenario is that a hacker could potentially communicate with a child through an unsecured Wi-Fi or Bluetooth-enabled toy. This could quickly escalate into something even more sinister. The ability to intercept the cameras of microphones built into toys, retrieve photos and videos from devices, and even pinpoint the location of the device could put children at risk. While it’s far more likely that hackers would exploit security flaws to hack home networks, child safety remains a major concern.

A recent report from consumer watchdog Which? called for all connected toys with proven security or privacy issues to be taken off sale. The report revealed that a selection of connected toys, including the Furby Connect, I-Que Intelligent Robot, Toy-fi Teddy, and CloudPets cuddly toy all used unsecured Bluetooth connections, with no PIN code, password or any other authentication method needed to connect.

This isn’t the first time that concerns have been publicly raised over connected toys, so in part two of this blog post I will discuss the action which needs to be taken to ensure the safety of consumers.

Read more about the challenges associated with securing the Internet of Things here.