CIS Program Cautions Which Digital Toys Are Unsafe for Kids

December 19, 2019
CIS webinar on unsafe digital toys

Cindy Casey, the head of GMercyU’s Computer Information Science Program, doesn’t use Wi-Fi cameras in her home. “I know how easy they are to hack so I use hardwired devices,” she said during a CIS webinar on toy safety in the 21st century.

Wi-Fi enabled toys are part of the "Internet-of-Things (IoT)" and share the same networks as computers, routers, servers, and even the power grid. This makes smart devices such as baby monitors, home security systems, smartwatches, and toys vulnerable and easy to exploit.

In the webinar, Casey reviewed some popular Wi-Fi and Bluetooth smart toy technologies that could pose security risks to children. If you're in the thick of holiday shopping, it’s important to note that some of these products have already been taken out of production but are still in circulation at discount stores or on websites like Walmart, Amazon, and eBay. (And don't miss her tips on shopping for smart toys below.)

One toy Casey discussed was Mattel’s Hello Barbie. Although the manufacturer has stopped production of this toy, parents can still find it online. A hacker can potentially intercept the communication between the doll’s app and eavesdrop on communication between the child and the company’s server. (This is called a “man in the middle attack.”) One way to protect children is to limit the amount and types of personal information shared with smart toys. However, do we really want to ask children to lie when their toys asked “What is your name?”

Similar to Hello Barbie, My Friend Cayla employs speech recognition via a Bluetooth app and was taken out of production. My Friend Cayla sent data to an unsecure third party for processing. Hackers were able to speak directly to a child playing with the doll, and could even use the toy as an audio surveillance device, even when no one was playing with it. "Anyone could hack the doll and listen to what was being said in the room," Casey said. In fact, in Germany, the doll was deemed an espionage device and banned. 

Last year, Casey had two of her CIS students, Patrick Timlin and Matthew Brown, hack the doll and present their findings at GmercyU’s undergraduate research conference. “It was alarming how easy it was,” she said.

Similar to My Friend Cayla, Fisher-Price’s Smart Bear comes equipped with a microphone, camera, and speaker, enabling the bear to hold conversations with a child. Hackers can gain unauthorized access to the bear's camera and use it to record without notification that the camera is in operation.

Other toys like some walkie talkies, which seek each other out to pair, have unsecure connections requiring no authentication. A stranger up to 656 feet away (about two football fields) could exploit this and pair with the device being used by a child. Any random stranger within range could potentially communicate with a child using the same device.

Other toy smartwatches are designed with GPS allowing parents to track their children; however, a hacker could hijack these unsecured devices and listen in on the child. A hacker could also access the watch's GPS and make the child untrackable. Even more alarming is that a predator could spoof the contact information in the device and message the child under the name Mom or Dad. When shopping for a child’s smartwatch, Casey recommends looking for one that requires authentication and encrypts data in motion.

Products like Amazon’s Echo Dot for Kids have come under fire for violating child privacy laws. This is because they collect voice recordings of children and whatever information children share with the product. Even if a parent knows how to delete the information, it's still stored in a cloud. Unfortunately, parents fail to read the privacy notices to these types of devices and in doing so are giving companies like carte blanche access to their children’s PII Including names, addresses, likes, dislikes, relatives, and family friends.

The gaming world has also proved vulnerable. Casey referenced the infamous attack in 2014 of a hacking group called the Lizard Squad. They halted service on PlayStation and Xbox Live networks on Christmas using a DDoS (Distributed Denial-of-Service) attack, taking control of multiple machines to flood one target. It affected 45 million customers.

Advice from Cindy Casey

"The decision on when to introduce children to smart technologies is a personal one. However, parents need to realize that when they hand a young child a toy that connects to the internet, it is no different than handing that child a computer. Most parents would not give a small child a laptop connected to the internet unsupervised — these types of toys require just as much supervision.

"Before purchasing a smart toy, parents should research the item online. Type in the name of the toy and instead of looking at the reviews or hitting the shopping tab, select the news tab. See if there are any security breaches or other dangers associated with the item in question. Finally, read the end-user privacy agreements (including all of the links to hidden clauses) so that you are aware of what data is being collected, by whom, and what it is being used for."

About the CIS Webinar Series

This is the second webinar of a series hosted by GMercyU’s Computer Science Information Program. The webinars span cybersecurity, cyberterrorism, digital forensics, programming, web design, and more. “These free lectures and workshops will provide attendees with relevant information and advice that they can take away and use as they plan their educational and career paths. The webinars are open to current and prospective students, the GMercyU community, and the general public,” said Casey.

Stay tuned for information on the third webinar.