If you're considering getting any of the so-called 'smart toys' currently on the market this Christmas, think hard. Some of this year's most popular Christmas toys have worrying vulnerabilities that leave them open to snooping and, in some cases, manipulation. MPs heard today (December 9th 2015) how these toys, which include Barbie and My Friend Cayla, are vulnerable to exploitation by spies and hackers.
Antony Walker of techUK, a body representing over 850 tech industry businesses, told MPs at the Commons Science and Technology Committee that any toy connected to the Internet could be used for covert surveillance. "A range of devices that have been in the news recently, in relation to a hack, are children's toys that children can interact with." "These are devices that may sit in a child's bedroom but are accessible." "In theory, the manufacturer of those products could be the subject of a warrant to enable equipment interference with those devices. "So the potential extent, I think, needs to be carefully considered."
How is this possible?
Smart toys carry content that the user downloads from the Internet, typically via a proprietary app. The toy is connected either via Wi-Fi or directly, at which point it may become vulnerable to exploitation. Some toys have better security than others, but as a rule, they're all hackable.
How is this legal? A draft version of the Investigatory Powers Bill states that intelligence services are allowed to access children's toys and that Internet service providers must assist them if required. The controversial bill is something we've written about extensively.
- What is the Investigatory Powers Bill?
- 5 things you need to know about the Investigatory Powers Bill
Which toys are vulnerable?
By definition, any toy that connects to the Internet can be accessed. Popular examples of such 'smart toys' include;
Hello Barbie - the talking version connects to the Internet and learns phrases.
My Friend Cayla - is similar to Barbie but aimed at younger children. This toy's vulnerabilities were exposed in early 2015 when a creepy video emerged of Cayla responding to questions with hacked answers. Not only can she be hacked to say whatever you want her to by configuring new phrases in her vocabulary, but she can also be hacked into for surveillance purposes.
Tech World News explained: 'On the server side, hackers could use client certification authentication credentials outside the app to probe the Hello Barbie cloud servers', Bluebox discovered. Also, the server domain for ToyTalk, which provides the app and the technology that powers Hello Barbie, was on a cloud infrastructure susceptible to the Poodle attack. While government intelligence agencies would need the correct permissions to hack into your children's toys, it's not beyond the realms of possibility that unethical (assuming for a moment that our intelligence agencies are entirely ethical) hackers could exploit the same vulnerabilities.