How to know if your child’s smart toy has been hacked
Digital technology has infiltrated every aspect of our lives and opened up our homes to hacking and other forms of criminal activity – and that means toys are no longer just a choking hazard for children.
As smart toys have grown in popularity, authorities around the world have warned parents against giving their children technology that is poorly secured. Any device that can connect to the internet is vulnerable to hacking, but experts have found that some toys are particularly insecure. Germany’s Federal Network Agency telecoms regulator has responded by banning the sale of smartwatches marketed at children as well as the My Friend Cayla doll, claiming that they a re an invasion of privacy and could be used to track a child’s location.
The FBI issued a similar warning about smart toys to parents last year, while a recent report by consumer group Which? highlighted that the Furby Conne ct, I-Que Intelligent Robot, Toy-fi Teddy and CloudPets featured unsecured Bluetooth connections, as its testers were able to access the devices without a password or pin. At the time, the cyber security firm teamed up with Which? for the project called for such toys to be removed from the market with immediate effect.
IBTimes UK has contacted the manufacturers of these toys for comment and is awaiting their responses. Furby manufacturer Hasbro said at the time that “privacy is a top priority”, while i-Que manufacturer Vivid Imaginations said that none if its products had been used in a malicious way. The makers of Cloud Pets and Toy Fi both declined to comment.
However, experts suggest that prevention is better than the cure – as it is hard for the average person to identify a hacker.
“Your best defence is vigilance,” Peter Bassill, CEO of Hedgehog Security told IBTimes UK. “Has the toy said something that doesn’t seem quite right? Are the lights flashing in a different way from when you first got it? Has it performed an action or done something while it wasn’t being played with? You are looking for the out of the ordinary, which will give away if something is wrong.” Asking your child if their toy is behaving in a strange way is also advisable, he added.
“The reality is there is probably not a lot parents can do to spot t heir children’s toys have been hacked, other than keep an eye on the news for stories of attacks happening or alerts from manufacturers – which in itself is quite shocking,” Stu Cox, a senior developer at app building firm Potato w ho specialises in security, told IBTimes UK.
Before buying toys, parents should check that they have built-in safeguarding tools.
“For example, they should make sure that any Bluetooth connections to the toy can be secured with a pin code that the parent can can choose themselves,” Thomas Fischer, global security advocate at Digital Guardian, told IBTimes UK. Toys with a parents’ interface that enables adults to control the device’s capabilities and access its history will enable them to check for suspicious activity and connects to other devices, he added.
“I predict that electronics manufacturers will start developing products that families can add to their WiFi to look out for abnormal data being transferred and they are alerted this way,” said Cox.
However, experts are also careful not to scaremonger. “Connected toys are not bad, perse,” Liviu Arsene, Senior e-Threat Analyst at cyber security company Bitdefender, told IBTimes UK. “Smart toys and smart things behave just like internet-connected computers and smartphones. They need to be protected and secured.”
Commenting on the potential danger of smart toys for inews.co.uk, Carolyn Bunting, chief executive of Internet Matters, a non-profit organisation that advises the government on child internet safety, said that screen time, cyber bullying and peer pressure on social media are more obvious concerns for parents. “It’s a bit of a stretch, isn’t it, that a padophile’s gonna get you through your Anki Overdrive smart cars?” she said.
Peter has been in the Information Security world since 1999 and in IT in general since 1996. His work history contains a unique blended balance between the development of exceptional technical capabilities and business knowledge. Peter is a proud father of twins and enjoys GT endurance racing on the weekends.
Last week saw SB Tech Breached by the hacking group Maze. It seems that every week the group are announcing more victims. GameOn asked our CEO Peter Bassill, to give us some insight into the attack. The GameOn article is here.
In our “How to securely” series we asked our followers what tools they would like a simple guide on to help them stay secure online. There seemed to be a lot of confusion as to what a VPN is and why you should or should not use one. So we asked Peter to help.
WhatsApp is among the fastest-growing instant messengers out there, and almost a social network in its own way. But if you are using it, there are some steps you should take to protect your security and privacy.
The UK’s highest court ruled that Morrisons can not be liable for a criminal act of a person seeking to harm their business. On April 1st, 2020, a panel of five justices unanimously ruled that Morrisons was not “vicariously liable”.
With the current pandemic situation, we all need to be taking remote working considerations. While adjusting the work paradym, it is vital to keep a mind’s eye on the security and safety of the businesses information assets
In this guide we are looking at how to go about securing zoom. Since the onset of the global pandemic, we have seen surge in “zoom bombing”. This is where people with malicious intent look for in-progress zoom meetings to join and cause trouble.
A critical vulnerabiltiy has been identified in Dell EMC iDRAC7, iDRAC8 and iDRAC9. Some unknown processing is affected by this issue. Manipulation with an unknown input can lead to stack based memory corruption.
On March 27th, Hiscox Insurance Company Inc. filed a complaint against law firm Warden Grier for concealing a data breach that occurred back in 2016.
A critical vulnerability has been identified in Nginx Controller up to 3.1.x (web server,) affecting an unknown code block of the component Controller API.