If you're thinking of getting any of the so-called ‘smart toys’ currently on the market this Christmas, think hard. Some of this year’s most popular Christmas toys have worrying vulnerabilities that leave them open to snooping and in some cases, manipulation. MPs heard today (December 9th 2015) how these toys, which include Barbie and My Friend Cayla, are vulnerable to exploitation by spies and hackers.

Antony Walker of techUK, a body that represents over 850 tech industry businesses, told MPs at the Commons science and technology committee that any toy connected to the Internet could be used for covert surveillance. "A range of devices that have been in the news recently, in relation to a hack, are children's toys, that children can interact with.” "These are devices that may sit in a child's bedroom but are accessible. "In theory, the manufacturer of those products could be the subject of a warrant to enable equipment interference with those devices. "So the potential extent, I think, is something that needs to be carefully considered."

How is this possible?

Smart toys carry content that the user downloads from the Internet, typically via a proprietary app. The toy is connected either via WIfi or directly, at which point it may become vulnerable to exploitation. Some toys have better security than others but as a rule, they're all hackable.

How is this legal? A draft version of the Investigatory Powers Bill states not just that intelligence services are allowed to access children’s toys, but that Internet service providers must assist them in doing so if required. The controversial bill is something we’'ve written about extensively.

Which toys are vulnerable?

By definition, any toy that connects to the Internet can be accessed. Popular examples of such ‘smart toys’ include;

Hello Barbie - the talking version connects to the Internet and learns phrases.

My Friend Cayla - is similar to Barbie but aimed at younger children. This toy’s vulnerabilities were exposed in early 2015 when a creepy video emerged of the Cayla responding to questions with hacked answers. Not only can she be hacked to say whatever you want her to by configuring new phrases in her vocabulary, but she can be hacked into for surveillance purposes too.

Tech World News explained: “On the server-side, hackers could use client certification authentication credentials outside the app to probe the Hello Barbie cloud servers, Bluebox discovered. Also, the server domain for ToyTalk, which provides the app and the technology that powers Hello Barbie, was on a cloud infrastructure susceptible to the Poodle attack While government intelligence agencies would need the correct permissions to hack into your children’s toys, it's not beyond the realms of possibility that unethical (assuming for a moment that our intelligence agencies are entirely ethical) hackers could exploit the same vulnerabilities.

Image credit - Wiki Commons