Germany recently banned the doll ”Cayla.” It was considered a privacy risk, with one of the goals of the ban being to “protect the most vulnerable in our society”. What’s all this about, then?

Cayla is a smart doll, in other words a doll with a small computer and an Internet connection. Cayla also has a microphone, and so can potentially be used to spy on its surroundings. The ban isn’t Germany’s first – the smart doll ”Hello Barbie” was also banned (in addition to being dubbed ”Stasi Barbie”).

Internet-enabled toys – what could possibly go wrong? (Pic: Mattel)

Banned for a good reason, it seems, given that security researcher Matt Jakubowski has shown that the Hello Barbie doll has clear security flaws. Jakubowski showed that it’s possible to figure out where the owner lives, access their network, and listen to recordings the doll has made of discussions with a child (see also The Huffington Post).

The larger phenomenon of Internet-enabled things is called the Internet of Things, or IoT. And stories of IoT vulnerabilities are commonplace. I interviewed F-Secure’s Chief Research Officer Mikko Hyppönen about the vulnerability of IoT for an earlier blog, and a recent article by PCMag’s Max Eddy does a great job of both discussing the problem in general as well as going into specifics.

What makes two of the more recent cases of IoT vulnerabilities noteworthy is that they demonstrate that these vulnerabilities can also affect our children.

Data-leaking toys: the VTech story

The first example is one of the largest data breaches in history, reported on by Motherboard in late 2016. The breach affected VTech, a Hong Kong-based manufacturer of (among other things) learning products for kids.

A hacker, who told Motherboard about the hack, was able to access personal information of close to 5 million parents and over 200.000 children. Among the information were home addresses, email addresses, passwords, and security questions. The passwords were hashed, in other words not in plaintext. However, as security researcher Troy Hunt explained, the security questions were in plaintext. Meaning, an attacker could use the security question to bypass and reset the password and then access the account.

Among the data were also the children’s gender and date of birth. Hunt analyzed the case, noting that there was enough data that an attacker could link children to their parents and work out children’s names, ages, and home addresses.

Spying and data-leaking toys: the CloudPets story

The idea behind CloudPets is that parents can send messages to their children while they are apart. Parents, or other loved ones, can record a message on an app on their phone, and then the stuffed animal can play this message back. And children can use their CloudPets to record a message for their parent or loved one, wherever they are in the world.

More Internet-enabled toys… (Pic: cloudpets.com)

You might have already guessed where this story is going: not only did security researchers show that CloudPets could be used by an attacker to spy on children. But also, all the recordings leaked out online.

Actually, saying that they ”leaked” isn’t entirely correct – the company behind CloudPets, Spiral Toys, left the database with all the recordings unsecured online. Anyone who knew how to look for unsecured databases could find it and access it.

Hunt, the security wizard behind haveibeenpwned.com, has analyzed the CloudPets case. He notes that among the information were links to over 2 million recorded messages by parents and children, as well as email addresses for over 800.000 users. The passwords were hashed, but Hunt describes that there were no password strength requirements, and he demonstrated that this had resulted in many passwords being easy to crack.

CloudPets: a bad situation gets worse (and worse)

Things are rarely so bad that they can’t get worse. In the CloudPets case what happened was that someone downloaded all the files and replaced them with a ransom demand – pay us if you want your files back. (This isn’t something unique to the CloudPets case: as security researcher Brian Krebbs has reported on, thousands of databases have been ransomed this way.)

Several security researchers tried to contact Spiral Toys via email, LinkedIn, phone, etc. to warn them of the problem of their unsecured database, but received no answer from the company. When Spiral Toys finally did break their silence, their answer was so misleading as to almost be describable as untrue. (For the full story, see Troy Hunt’s blog or video blog about the case.)

The situation is so bad that security researcher Ken Munro has recommended CloudPets owners turn them off. And German watchdog the Federal Network Agency (Bundesnetzagentur) in turn has recommended CloudPets owners destroy them (see bbc.com).

Unfortunately, it seems one cannot trust companies to bear their responsibility regarding the security and privacy of children (or grown-ups for that matter).

So what?

What do we learn from this? Firstly: everything can be connected to the Internet, but not everything should be connected to the Internet. Before you buy a smart product, consider whether the product actually needs to be connected to the Internet. (For a steady stream of bite-sized, often humorous examples of this, check out the Internet of Shit Twitter account.)

Secondly: storing information online is always a risk. Assume that there is a good probability that the data will eventually leak. It’s fine for us as parents to take this risk with our own data. But we should be very careful in taking that risk on behalf of our children.

If you own a CloudPets toy, or are generally concerned about data breaches (which we should all be), then it’s a great idea to check out haveibeenpwned. It helps people see if they have been involved in a large number of known data breaches. (If you aren’t familiar with the concept of data breaches or haveibeenpwned, I have a blog post covering some basics.)

CloudPets, haveibeenpwned, Hello Barbie, VTech