Various connected toys for children – hot off the shelves from this holiday shopping season – have been found with deep-rooted security issues, including missing authentication for device pairing and a lack of encryption for connected online accounts.
The research, formed by a partnership between consumer group Which? and researchers at NCC Group, tested various smart toys available from big-named brands including Spinmaster, Vtech and Mattel.
“While the onus should never fully lie with parents or guardians, checking that the product literature has sufficient reference to security and privacy before purchasing should be the first step,” according to the NCC Group, which analyzed the toys. “And if concerns persist after purchasing the device, supervision should always be performed on toy operation and any accompanying online activity and use.”
The research is indicative of larger security issues in connected toys, which open them up as conduits to a “second-order IoT attack” on smart homes – but also pose serious privacy issues for the children they are intended for, according to NCC Group.
No Authentication
Many toys tested were missing authentication measures for the Bluetooth connection used for pairing toys with their complementary apps or devices. This type of authentication serves as a security step to ensure that the device or app attempting to connect with the smart toy is from a legitimate source, such as a parent or guardian. Missing authentication opens the toys to an array of attacks, researchers said.
An attacker could connect to the toy and stream manipulative messages to the child, asking them to go outside to their front yard, for instance. In testing the Vtech KidiGear walkie-talkie, for example, researchers found that they could easily pair their own walkie-talkie devices (if they were the same brand) with those of a child. The two walkie-talkie devices didn’t need mutual authentication, allowing strangers to then talk to the child on the other device from up to 150 meters away.
In a statement, Vtech said: “Further to the recent Which? findings… The pairing of KidiGear Walkie Talkies cannot be initiated by a single device. Both devices have to start pairing at the same time within a short 30 second window in order to connect.”
Researchers also found that the Singing Machine SMK250PP and a karaoke microphone from Amazon seller TENVA – both of which allow audio to be streamed through them via Bluetooth – lacked authentication measures, meaning an attacker who paired with them could potentially stream offensive content through them.
“Safety is top priority with every Singing Machine product produced, as demonstrated by our 37 year history without a product recall,” said Singing Machine in a statement. “We follow industry best practices as well as all applicable safety and testing standards.”
Researchers said they were unable to connect with the manufacturer of the TENVA karaoke microphone toy.
Plaintext Passwords
Another top issue stemmed from the online accounts that many connected toys require.
“The use-cases differed per toy, but usually this was required or suggested in order to register the toy, allow children to download new capabilities, or to share aspects or experiences with the toy in online forums with other children,” said researchers.
When testing the security of the websites and online forums associated with these accounts, researchers found several glaring security holes. For instance, when creating accounts, many websites did not offer encryption, meaning that the usernames and passwords – and all associated account and session data on toy websites and forums – was open to interception.
Researchers found that this was the case with the consumer website for Mattel’s FFB15 Bloxels “Build Your Own Video Game.” (Which? said that the makers of Bloxels Edu portal, Mattel, declined to comment.)
A similar issue was discovered in Spinmaster’s Boxer interactive robot. Researchers found that separate online accounts can be created by the parent or child at Spinmaster’s website that can easily be intercepted due to lack of encryption.
“Spinmaster, maker of the Boxer toy, pointed out that there’s no need to set up an account via the Spinmaster US website to use the Boxer toy or the companion Android/iOS app (which doesn’t require a login),” according to Which?.
Another issue researchers discovered was that “when creating new accounts, or using the ‘forgotten password’ function, the websites commonly returned messages that would indicate whether a given username or email address was already registered,” they said. “Attackers would be able to perform a brute-force attack against these functions to enumerate valid usernames and email addresses registered on the sites.”
None of the websites enforced a password policy either, and privacy policies of the websites – including reasons behind collecting data such as child gender and ages – were vague and “arguably not complying with the Children’s Online Privacy Protection Rule (COPPA) requirement for there to be a ‘clear and comprehensive online privacy policy,’” said researchers.
Bad Toys
The connected toys are only the latest to have issues around security and privacy. After CloudPets connected teddy bears were found to have exposed 2.2 million voice recordings between parents and their children in a significant data breach, Amazon, Target and Walmart have pulled the toys from their online markets. Genesis Toys’ My Friend Cayla doll (which was banned in Germany) and Mattel’s Hello Barbie doll have also undergone major security issues.
Moving forward, manufacturers need to take mandatory steps in ensuring security by implementing authentication between toys and their owner devices or applications, said researchers. Manufacturers can also create mechanisms for persistent storage on devices, which could be used to store some unique identifier of a controlling app upon first use; or a mechanism to display text or project audio through a loudspeaker, which could be used to present a random one-time pairing code which changes upon each connection, they said.
“It is the responsibility of manufacturers to reassure their customers of the security of their products, but it is also necessary to put in place security-oriented standards for the Internet of Things industry as a whole,” Dean Ferrando, systems engineer manager – EMEA at Tripwire, said in an email. “To ensure the logical security in the IoT, we need to make it more expensive for manufacturers to be unsafe than compliant. One of the biggest misconceptions is that consumers assume that products from large, well-known brands are inherently secure; however this is not true and in a lot of cases, the race to be first to market often sees a neglect in some of the basic security measures that consumers should expect.”
Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.