A number of toys that had been investigated and have been discovered lacking basic authentication measures, opening them up to an array of harmful attacks.
Numerous connected toys designed for children have been discovered with deep-rooted security issues, including lacking authentication for device pairing and an absence of encryption for connected online accounts.
The analysis, formed by a partnership between consumer group Which? and researchers at NCC Group, examined numerous smart toys available from big-named manufacturers including Spinmaster, Vtech and Mattel.
“While the onus should never fully lie with parents or guardians, checking that the product literature has adequate reference to security and privacy before buying must be the first step,” according to the NCC Group, which analysed the toys. “And if issues persist after buying the device, supervision must at all times be performed on toy operation and any accompanying online activity and use.”
The analysis is indicative of bigger security concerns in connected toys, which open them up as conduits to a “second-order IoT attack” on smart homes – but additionally pose severe privacy issues for the youngsters they are supposed to be for, according to NCC Group.
Lack of Authentication
Many toys examined had been lacking authentication measures for the Bluetooth connection used for pairing toys with their complementary apps or devices.
One of these authentication serves as a security step to make sure that the device or app making an attempt to connect with the smart toy is from a authentic source, such as a parent or guardian. Lacking authentication opens the toys to an array of attacks, researchers stated.
An attacker may connect with the toy and stream manipulative messages to the child, asking them to go outside to their home, for example. In testing the Vtech KidiGear walkie-talkie, for instance, researchers discovered that they might simply pair their very own walkie-talkie devices (if they were the same model) with those of a child.
The 2 walkie-talkie devices didn’t require mutual authentication, permitting strangers to then speak to the child on the opposite device from up to 150 meters away.
In a press release, Vtech stated: “Further to the latest Which? findings… The pairing of KidiGear Walkie Talkies can’t be initiated by a single device. Each device has to begin pairing on the same time within a brief 30 second window so as to connect.”
Researchers additionally discovered that the Singing Machine SMK250PP and a karaoke microphone from Amazon vendor TENVA – both of which permit audio to be streamed by way of Bluetooth – lacked authentication measures, which means an attacker who paired with them might doubtlessly stream offensive material through them.
“Security is top priority with each Singing Machine product produced, as demonstrated by our 37 year history without a product recall,” stated Singing Machine in a press release. “We comply with industry best practices in addition to all relevant security and testing requirements.”
Researchers stated they had been unable to make contact with the manufacturer of the TENVA karaoke microphone toy.
Plain text Passwords
One other top concerns stemmed from the online accounts that many connected toys require.
“The use-cases differed per toy, however normally this was required or advised so as to register the toy, permitting children to download new capabilities, or to share features or experiences with the toy in online forums with different children,” stated researchers.
When testing the security of the websites and online forums related to these accounts, researchers discovered a number of obvious security holes.
For example, when creating accounts, many websites didn’t provide encryption, which means that the usernames and passwords – and all related account and session data on toy websites and forums – was open to interception.
Researchers discovered that this was the case with the consumer website for Mattel’s FFB15 Bloxels “Build Your Own Video Game.” (Which? stated that the makers of Bloxels Edu portal, Mattel, declined to comment.)
The same problem was found in Spinmaster’s Boxer interactive robot. Researchers discovered that separate online accounts could be created by the parent or child at Spinmaster’s website that may simply be intercepted because of lack of encryption.
“Spinmaster, maker of the Boxer toy, identified that there’s no need to set up an account through the Spinmaster US website to use the Boxer toy or the companion Android/iOS app (which doesn’t require a login),” according to Which?.
One other concern researchers found was that “when creating new accounts, or using the ‘forgotten password’ option, the websites generally returned messages that might point out whether or not a given username or email address was already registered,” they stated. “Attackers would be capable of carrying out a brute-force attack against these functions to enumerate legitimate usernames and email addresses registered on the websites.”
The connected toys are the most recent to have issues regarding security and privacy. After CloudPets connected teddy bears had been discovered to have exposed 2.2 million voice recordings between parents and their children in a major data breach, Amazon, Target and Walmart have pulled the toys from their online markets.
Genesis Toys’ My Friend Cayla doll (which was banned in Germany) and Mattel’s Hello Barbie doll have additionally undergone significant security issues.
Moving ahead, manufacturers have to take necessary steps in ensuring security by implementing authentication between toys and their owner devices or applications, stated researchers.
Manufacturers can even create mechanisms for persistent storage on devices, which may very well be used to store some distinctive identifier of a controlling app upon first use; or a mechanism to show text or project audio via a loudspeaker, which may very well be used to present a random one-time pairing code which changes upon every connection, they stated.
It’s the responsibility of manufacturers to reassure their customers of the security of their merchandise, however it is usually essential to have in place security-oriented standards for the Internet of Things industry as a whole.
To ensure the logical security within the IoT, we have to make it more expensive for manufacturers to be unsafe than compliant. One of the biggest misconceptions is that customers assume that merchandise from a well-known manufacturers are inherently secure; nevertheless this isn’t true and in a variety of instances, the race to be first to market usually sees a neglect in some of the fundamental security measures that customers should expect.”