Industry must take action to improve connected toy security – part 2

In part one of this blog post, I discussed the security risks of connected toys. In this post, I will discuss the action which can be taken to protect consumers from potential security breaches when using these devices.

Last year, the My Friend Cayla doll ran into trouble when the German government’s telecoms watchdog branded it an ‘illegal espionage apparatus’. The German Federal Network Agency ordered parents to immediately stop using the doll and destroy its concealed microphone as it breaks German privacy laws. Concerns over the doll have also been raised in the U.S.

In another example of the security risk posed by connected toys, smart toy maker Vtech was recently fined $650,000 by the US Federal Trade Commission following a security breach that exposed the data of 6.5 million customers. While investigating the breach, the FTC found that the Chinese firm’s Kid Connect app, which is used with some of its connected toys, had collected personal information from children without providing direct notice and obtaining their parent’s consent, violating a U.S. children’s privacy law. It also failed to take reasonable steps to secure the data it collected.

Although these stories are worrying, they also suggest that regulatory organisations are slowly recognising the potential security risks. Growing concern over the safety of connected toys has already led the FBI to put out a public service announcement urging people to consider cyber security before introducing these products into their home. And in the UK, the Information Commissioner’s Office recently offered guidance on how parents could keep their children safe when buying connected toys. These are important early steps in addressing the issue, but more needs to be done.

What happens next?

The industry has been slow to push security standards for connected toys, and while agreeing on industry standards is never straightforward, they are vital to the safety and security of both parents and children as the trend gathers steam. The advice for consumers is to do their research, check out reviews on reputable websites and only buy products from trusted retailers and manufacturers, checking the specifications to ensure that they come with robust built-in security. They are also advised to speak to the manufacturer about their security policy and seek advice from their Internet Service Provider (ISP). However, consumers can’t be expected to shoulder all of the burden. It is the responsibility of the manufacturers and ISPs to ensure that this information is readily available, in an easily understandable form.

Companies must develop clear privacy policies to let parents know what data is being collected from connected toys and how it is being used. It’s also essential that they work with partners to create a secure network for their devices and ensure that firmware and software updates are rolled out regularly, and that essential security patches are made available as quickly as possible.

For enterprises, the connected toy saga is a cautionary tale as the security threats facing the highly connected organisations of the modern world increase every day. All it takes is one unsecured device to breach a network. While you can’t stop the attacks happening, what is possible is to mitigate threats early and prevent attackers from compromising network security, gaining access to data and files they shouldn’t do and overloading IT systems with traffic from infected devices. It’s time every company took a more proactive stance on security, from multinational enterprises to novelty connected toy makers.

It’s vital that organisations — including governments, regulators, manufacturers and ISPs — consider how they can work together to create an end-to-end infrastructure with industry-wide standards to ensure the safety and security of consumers in 2018 and beyond.

Read more about the challenges associated with securing the Internet of Things here.