UK consumer body Which? — the equivalent of Australia’s Choice – has called for a ban on insecure internet-connectable child’s toys, releasing a video showing how easy it is for some devices to be compromised and used to speak directly to a child.
Which? takes particular issue with the i-Que Intelligent Robot, made by Genesis Toys, saying: “The German consumer organisation, Stiftung Warentest, found that it uses Bluetooth to pair with a phone or tablet, but the connection is unsecured. In fact, anyone can download the app, find an I-Que within Bluetooth range and start chatting by typing into a text field.”
To demonstrate the danger this poses Which? has created a short video in which a predator sees a child playing with the I-Que through the window of the child’s home. Using his phone he connects to the I-Que and types a message: “Hello, I have a surprise for you, come and open the door.” The I-Que speaks the message, and the child responds.
Which? also asked UK security firm ContextIS to probe a Furby Connect, a Bluetooth-connected smart toy made by US toy giant Hasbro. However, rather more expertise was required to hack this device. ContextIS, according to Which? “used elements of a project by Florian Euchner that explores a Furby Connect’s microcontrollers for controlling its movements and displaying animations on its LCD eyes.”
ContextIS demonstrated that the Furby Connect did not implement available Bluetooth security technologies such as requiring authentication for pairing or encrypting links between it and phones it connects with and was able to exploit these weaknesses to display custom graphics and animations on the toy’s eyes. It also found the toy does not require firmware updates to be digitally signed by the manufacturer, which could allow an attacker to install a malicious firmware update.
Which? has called on retailers to take smart toys off retail shelves if they have proven security or privacy issues. It notes that the FBI has published an advisory containing a lengthy list of what parents should do at a minimum prior to using internet-connected toys.
Mike Bell, Executive Vice President, IoT and devices at Canonical – the company behind the Ubuntu Linux distribution – said manufacturers should expect consumers to be increasingly wary of products sold with default passwords, unsecured connections, and other flaws that could bring cybercriminals into their homes.
“Findings such as these are likely to spark calls for new safety standards on cybersecurity for connected toys,” he said.
“In the meantime, manufacturers must look at their development processes to ensure they are not caught short when this happens, by eradicating default passwords, building encryption into the hardware and software layers of their devices, and ensuring that they can easily patch any new vulnerabilities remotely even after their devices hit the shelves.”
However, Phil Henrick, cofounder and CTO of Australian IT security consultancy CQR, does not believe it is practicable to make low cost, simple but potentially dangerous IoT devices in general more secure and patchable and has a more drastic solution.
Asked for his opinion on suggestions that security features should be required in IoT devices by legislation, Henrick told IoT Hub: “They would do better to just require these devices to brick themselves after a year, and force you to buy another one. The longer a device is exposed and unmaintained the more the chance that it will be compromised.”
He noted there was a precedent for this. Logitech recently announced that its Harmony Link hub, a plastic puck released in 2011 that gave smartphones and tablets the ability to act as universal remotes for thousands of devices, would cease to function after 16 March 2018.
However, so great was the customer backlash that Logitech later said it would provide all Harmony Link users with a free replacement.