Why Are So Many Toys Vulnerable to Hacking?
I keep hoping we’ve reached peak vulnerable gadgets, only to hear about another unsecured device. Toys in particular continue being exposed as privacy and security nightmares that anyone with a slight desire to investigate can uncover. This week in toy privacy nightmares, a company called Spiral Toys was found to have exposed 800,000 user account credentials online, as well as 2 million voice message recordings.
The company’s CloudPets line, which includes internet-connected teddy bears, stored user credentials in a database that wasn’t secured by a password or behind a firewall. Security researchers discovered the MongoDB through Shodan, a search engine for finding vulnerable websites and servers. Their work was independently verified by Motherboard. Of course, if security researchers found that database, it’s entirely possible — and likely — malicious actors did as well.
CloudPets is only another name in a long line of vulnerable connected toys, including the Cayla doll, Hello Barbie, and toys from VTech. At this point, unsecured gadgets and toys are routine, which might have you asking why it’s so difficult to build a secure, connected device. The reasons vary, but for the most part, it has to do with money and hurried approaches to security.
As I’ve written before about connected gadgets, building something secure isn’t easy. It requires a dedicated team who knows what they’re doing, money to pay those people, and thoughtful consideration. In CloudPets’ case, its parent company is floundering financially. Security researcher Troy Hunt, who exposed the database, notes that it’s worth less than half a cent per share. This also might explain why the company didn’t respond to repeated requests for comment from both Hunt and Motherboard.
In other cases, like Hello Barbie, it isn’t so much that the doll wasn’t secure but that a toy company (Mattel) collected massive amounts of data on kids. That might be fiscally advantageous, but it certainly isn’t reassuring for parents. As Hunt writes in his blog post: “It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every single piece of data they hold on you and your family can be in the public domain in mere minutes.”
The good news is that these toys do require parental permission to start collecting data. Typically that’s provided through a companion smartphone app. When buying a toy, parents should read privacy policies carefully and figure out what data the company retains. Do they sell it to third parties? Does it stay local on the device?
Connected toys carry appeal: they can interact with your kid, provide information, and generally sound like cool ideas. But they introduce a range of risks compared to regular toys. Is a talking Barbie or interactive teddy bear really worth it?