The French data protection agency has issued a formal notice to the manufacturers of My Friend Cayla, a popular doll that captures children’s speech and sends the recordings to parents’ or guardians’ mobile phones.
CNIL’s notice comes on the brink of Christmas, and warns prospective present-buyers that the toy has no privacy measures, allowing anyone within nine metres of it to pair with the device. Once they do, they’re able to listen to and communicate with the child through a microphone in the toy.
A familiar story
Internet of Things (IoT) technology has revolutionised the toy industry, with speech recognition software replacing simulated digestive systems as the must-have gadgetry for dolls. Although toymakers have always been concerned about children’s safety, they’ve historically focused on issues such as whether the toys were a choke hazard or could give children lead poisoning. Cyber security is a very different challenge, one that many manufacturers have failed to address.
In November 2017, Consumer magazine Which? tested seven toys and found cyber security vulnerabilities in four of them: the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets.
In a press release, Which? said: “In each of the toys the Bluetooth connection had not been secured, meaning during the tests our hacker didn’t need a password, PIN code or any other authentication to get access. In addition, very little technical know-how was needed to gain access to the toys to start sharing messages with a child.”
Using an existing hack, Which? was able to get the Furby to play audio files and manipulate the graphics in the toy’s eyes. It couldn’t turn the Furby into a listening device, but it “believes this is possible if someone was able to re-engineer its firmware”.
The Toy-Fi Teddy and CloudPets toys had the same vulnerabilities as My Friend Cayla, with the researchers at Which? able to play voice messages through the toys and listen to children’s responses.
The vulnerability in the CloudPets toy was exposed in February 2017 by Paul Stone, a security researcher. More than 800,000 customer records and 2 million audio recordings were left on a database that was neither password-protected nor behind a firewall, allowing malicious parties to repeatedly access the data and ransoming the company.
Spiral Toys, the manufacturer of CloudPets, tried to downplay the vulnerability. However, the share price of the foundering toymaker plummeted in the following months, and the company was ridiculed on social media, particularly after one Twitter user photographed dozens of CloudPets products on sale at a discount shop.
— Alex von Gluck 🍂 (@kallisti5) 20 March 2017
Security in the digital world
Smart toys will no doubt be at the top of many children’s Christmas wish lists, so security concerns leave parents and guardians in a tricky position. It’s hard to explain to your kids that Cayla isn’t their friend, but an “illegal espionage apparatus”, but it’s not as if any other smart toy should fill anyone with confidence.
Toys are a hot-button security issue because they affect the privacy of children, but the digitalisation of our everyday lives has created security vulnerabilities everywhere. Our December book of the month, Security in the Digital World, shows the extent of the problem and offers advice on how to navigate these threats.
This guide gives up-to-date information on consumer risks, providing you with:
- An understanding and awareness of information security and cyber threats;
- Explanations of what social engineering is and techniques used by cyber criminals;
- Advice on what to look out for online and your rights as a consumer;
- Guidance on common threats in the digital age, including malware, social engineering and ransomware; and
- Ten tips to keep your digital information secure.