Privacy News Please don’t buy this: smart toys

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
But much like other Internet of Things products, smart toys don’t have a great track record of protecting personal information, designing software according to industry best practices, and updating in a timely manner. And we’re in fairly new territory when it comes to young children and the Internet. Suddenly, we have to worry about protecting the digital footprint of our kids before they’re even online as active participants. Not only that, we don’t yet know the repercussions of a person’s data being collected and transmitted online essentially from birth.

As cool as that R2-D2 is, we suggest for the time being that you please don’t buy smart toys.
Why not?

The problems start to creep in with the data collection necessary for a toy to be properly interactive. While simple games and preprogrammed phrases can launch using on board memory or a bluetooth connection to a computer, more complex speech recognition and “remembering” user preferences and conversations generally requires sending input data to a remote server for analysis of the training data set.

This process can be completely benign, if all points in the data transmission chain are configured and secured properly. Unfortunately there is a lot of room in the collection chain for vulnerabilities to creep in.

At the point of collection, decisions need to be made to appropriately sanitize personal information. (Doubly important if the user is a child.) The collected data needs to be transmitted in a manner that’s secure against third-party eavesdroppers. And at the other end of the collection chain, all data needs to be stored on a secure server using patched, up-to-date software, and hashed with a modern, secure algorithm. Smart toy makers have not done well on any of these benchmarks in the past.
But an outstanding article by Troy Hunt took a look at their security practices and found:

  • No usage of SSL anywhere on their websites
  • Password hashing with a deprecated, easily-cracked algorithm
  • Storage of security questions in plain text
  • Extensive use of Flash
For those not in the know, these are basic, 101-level security design flaws that in total suggest irresponsibility by the company rather than a one-off event by a hyper-competent hacker. (Please read Troy’s followup article, which goes into greater detail on the impact of VTech’s poor design.)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top