Smart toys: smart or just creepy?

Lisa R. Lifshitz
It’s been a bad few weeks for Internet-enabled “smart” children’s toys.

Citing privacy and security concerns, on Feb. 17, the Bundesnetzagentur, Germany’s Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway, announced that it had banned a popular doll called My Friend Cayla and decisively removed the product from the German marketplace.  

Cayla is an interactive doll currently sold in Canada that connects to the Internet via Bluetooth and can respond to a child’s questions in real time. Sounds innocent, right? However, critics allege that the toy uses a hidden microphone to record and collect the discussions with children without any meaningful limitations on collection, use or disclosure of any personal information or adequate data protection standards.

German laws currently stipulate that wireless devices with hidden cameras or microphones are illegal. Following an investigation spurred on by a complaint that the dolls were so insecure that their Bluetooth connections (lacking a proper password) could be hacked up to 10 metres away, the Bundesnetzagentur held that toys such as Cayla that are capable of transmitting signals and that can be used to record images or sounds without detection would be prohibited in Germany to protect children, the most vulnerable members of society.  

The Bundesnetzagentur was particularly concerned that the toys could be used as concealed surveillance devices and allow hackers to exploit children. In a press release, the regulator noted that the toy acted as “unauthorised wireless transmitting equipment” as anything the child says or other people's conversations can be recorded and transmitted without the parents' knowledge. A company could also use the toy to advertise directly to the child or their parents. Moreover, if the manufacturer has not adequately protected the wireless connection (such as Bluetooth), the toy can be used by anyone in the vicinity to listen in on conversations undetected.

While the Bundesnetzagentur has held the dolls to be illegal in Germany, it is not currently considering penalties against their owners and indicated that it expects parents to “do the right thing” and destroy them on their own volition.

While the Cayla doll is the first toy to be banned under the Bundesnetzagentur’s authority to enforce the ban on surveillance devices, it may not be last since the regulator also indicated it would be inspecting other interactive toys and “if necessary, will take further action.”   

Cayla is manufactured in the United States and has been available since 2014, but the doll came under scrutiny in 2015 when U.K.-based security consultants Pen Test Partners discovered it was possible to hack the doll and remotely control what it said.  

Last year, more than 18 privacy groups filed complaints with the U.S. Federal Trade Commission and the European Union about connected toys like My Friend Cayla, claiming manufacturer Genesis Toys and its speech recognition software partner Nuance violated deceptive practices and privacy laws such as the U.S. Children’s Online Privacy Protection Act. For example, on Dec. 6, 2016, U.S.-based advocacy groups including the Electronic Privacy Information Center, or EPIC, launched a complaint and request for investigation with the FTC citing myriad privacy concerns (including that the terms of service and privacy policy for My Friend Cayla are confusing and hard to access, failure of the manufacturers to adhere to adequate deletion and data detention requirements and unfair failure to employ reasonable security practices to prevent unauthorized Bluetooth connections). Concerns were also raised that Genesis and Nuance were selling the data collected from children and others to military, intelligence and law enforcement agencies. The FTC complaint also noted that Cayla was programmed to reference Disneyworld and Disney movies and as this product placement was not disclosed prior to purchase parents who bought the doll for their children were unaware that their children were being subjected to product placement in their conversations.  

Perhaps even more spectacular than the Cayla ban, however, is the most recent security failing that has come to light in connection with CloudPets. These tremendously cute stuffed toys (teddy bears, cats, elephants and the like) contain built-in microphones and speakers and connect to the Internet via Bluetooth. The toy allows family members to exchange voice messages between their children, friends and relatives using an iOS or Android app on a tablet or smartphone. Children could also record messages as a reply using the toy via the app.
The audio files were stored in the cloud in a MongoDB database.

The details around this story have been slowly emerging since late December, but on Feb. 28, it was widely reported that Spiral Toys, the company that made CloudPets, had mistakenly left more than 800,000 customer emails and passwords, access to profile pictures and data that could help hackers retrieve more than two million voice messages exchanged between children and their parents totally unencrypted, without the protection of even a password or firewall, since Christmas of last year. As the publication Motherboard later reported, there is further evidence that at least two hackers tried to overwrite the MongoDB database three times, took copies of the data, deleted the data on the server and left a note demanding a ransomware payment for the safe return of the data. The story broke when a security breach expert named Troy Hunt (who maintains the HaveIbeenpwned website) received detailed copies of the stolen records, along with screenshots depicting the efforts of Good Samaritan Victor Gevers, who vainly tried to alert the toy manufacturer several times, including directly through its customer support portal and via its ISP starting on Dec. 31, 2016 about the gaping security holes but was thoroughly ignored.

The facts of this incident read like a textbook example of how a company should not be managing its Internet of Things security or a data breach. The CloudPets app had appalling password management — users could create a password as short as one letter (the company’s own tutorial suggested “qwe” would be perfectly adequate). Spiral Toys initially denied that any voice recordings or other data had been stolen, claiming they only found out about the security flaw on Feb. 22, which is unlikely given the evidence. They initially also downplayed the seriousness of the problem, calling it “minimal.” But, finally, on Feb. 28, the company sent California’s attorney general a breach notification as required under California privacy law.

Spiral Toys’ response was not sufficient for U.S. Senator Bill Nelson, who on March 7 sent a letter to the company’s CEO Mark Meyers, asking for clarification by March 23 on 10 questions relating to the data breach, the toy maker’s data existing collection processes and security measures in place to protect against intrusions, and whether its practices are compliant with COPPA to adequately protect the confidentiality, security and integrity of personal information collected from children. Nelson also wanted to know whether the company discloses to customers that it collects personal information, whether that data is shared or sold to third parties and whether prior data breaches had occurred.  

Clearly, many IoT manufacturers — particularly in the area of “smart toys” — are still not getting the message regarding the importance of privacy and security best practices and how they need to be “baked in” to all stages of the development and retail process. Perhaps more national bans and regulatory scrutiny can help prod manufacturers down this path. Until then, concerned parents may wish to limit their children’s use of these connected toys since they are not so smart — just creepy. In the meantime, individuals with CloudPets accounts should likely change their passwords immediately (and use something stronger than “cloudpets” as some users did previously) and, perhaps more drastically, disconnect the toy from the Internet altogether.