With the connected toy industry budding, and everyone rushing a new generation of smart toys to market, corners are bound to be cut and mistakes are destined to me made. As security-conscious smart toy designers, we take a look at some of the bigger blunders in the past few years, find out the root of the problems, as well as provide thoughts on what could have been done to create safer products.
While a lot of the supposed “hacks” are unlikely to occur in the real-world, once the media gets ahold of the story it can snowball into a public relations disaster, often with calls to avoid, return, or even destroy the affected toys.
My Friend Cayla, iQUE Intelligent Robot, Teksta Robotic Toucan
Genesis Toys was one of the frontrunners to market with connected cloud-based smart toys with the My Friend Cayla, iQUE Robot, and Teksta Toucan, all of which share similar technologies. Each of the dolls connects to their companion app via Bluetooth Low Energy (BLE), enabling voice recognition and interaction with games and activities within the app.
It turned out that My Friend Cayla doll was easily hijacked by anyone nearby, who could listen in on the family or play audio through the doll. This security issue hit all the major news outlets and resulted in an official ban in Germany.
What went wrong?
Problem #1
The toys connect via Bluetooth as a headset device, behaving like a speaker and microphone for the connected tablet or phone. Any modern device can connect to the dolls, enabling the phone/tablet to listen through the doll, or send audio through it—Just like any headset.
Workinman’s advice
While this headset-behavior simplifies the technology for development, it enables access anyone nearby to pair with the toy’s microphone and speaker. Manufacturers should look at alternative Bluetooth device classifications and protocols whenever possible. If not, proper authentication on pairing should prevent unauthorized devices from connecting to the toy and snooping/playing audio.
Problem #2
Upon pairing, there are no authentication steps to assure the user it is their phone or tablet that is pairing to the doll, and not a random stranger next door.
Workinman’s advice
Skipping authentication does make for a very quick and seamless pairing experience for users, but the privacy cost is too great. Our recommendation is to design a simple connection flow in the companion app that guides users through pairing and utilizes the toy’s Voice or LEDs to secure the connection.
For example: The toy could speak a 4 digit code that the user must enter into their app to confirm they are pairing with the correct product. This can also be done silently with LEDs (color codes) or an LCD display.
Problem #3
The Bluetooth Broadcast ID, that appears on any scanning phone or tablet, is named precisely product’s name (My Friend Cayla, Teksta Toucan, iQUE Robot) making their Bluetooth broadcasts easily identifiable as toys, and now that the word is out: hackable toys.
Workinman’s advice
We highly recommend not using easy-to-identify broadcast IDs for children’s toys, which makes them more identifiable as a target. Use more cryptic codes instead. If pairing is done through the companion app, the app itself can identify the code and identify and connect to the appropriate ID so it shouldn’t be a usability issue for users at all.
Problem #4
Security firm Pen Test Partners demonstrated a hack on the Teksta Toucan where they were able to swap out built-in voice files in the apps with their own profane files, making the robotic bird’s charming humor suddenly become inappropriate.
Workinman’s advice
While this led to a comical viral video of a cursing Toucan that helped promote the security firm, clearly any hacker who wants to pull this off would need access to the child’s device, and we feel at this point, the swapping of audio files would be the least of the parent’s concerns. This is less of a “toy hack” as it is a hack of the device (phone or tablet) and its software (which can happen to most android devices and apps).
Problem #5
Cloud-based voice recognition and AI is what allows the dolls to understand and respond to kids’ commands. This is an important concern in the US, where the COPPA law comes into effect. While the dolls don’t seem to solicit the personal identifying information that COPPA is concerned with, it is unknown if anything a child speaks, such as their home address, is transferred and stored online, which would be a clear violation of the act.
Workinman’s advice
Read our guide to COPPA for games and connected toys for more information.
Star Wars BB-8 App-enabled Droid
As the most popular smart toy to date, this licensed and slightly-modified version of the Sphero app-controlled ball, dominated sales for the 2015 season with its tie-in to the Star Wars: The Force Awakens film. In 2016, a vulnerability was discovered in this high-profile product and subsequently was reported all over as being “Hacked.” While the hack represents an unlikely scenario, and no real privacy concerns, it could have easily have been avoided in the app design process by utilizing some best-practices for connected toy security.
What went wrong?
Problem
When forcing an over-the-air (OTA) firmware update from an Android device, the BB-8 companion app will download the firmware file over standard HTTP, as opposed to the secure and encrypted HTTPS. This means a man-in-the-middle style attack can happen where someone can intercept the download and push their own, hacked version of the firmware. This does not affect Apple devices, as iOS has a requirement that secure transport methods be used in apps. Since the Sphero Development SDK is available for public use, it’s a much more accessible platform for hacking.
Workinman’s advice
This is a simple fix and goes for all app-to-online communications: Always use secure connection protocols. A signing method for firmware can also be implemented for extreme security needs.
Cloud Pets
These connected plush toys by Spiral Toys are marketed as a lovable bridge between parents and their children. Both parents and child have the ability to interface with the toy through the companion app. Parents can send voice messages as well as invite their children to games and stories that are presented within the companion app itself. In 2017, the cloud platform that managed user accounts and bridged communications between the two ends was hacked, putting user privacy at risk.
What went wrong?
Problem #1
A data breach in early 2017 led to the theft of the Cloud-pets user database, containing over 800,000 user accounts and over 2,000,000 stored voice messages. Most of the data was stored unencrypted.
Workinman’s advice
This is a clear issue not with the toy and app design itself, but with the cloud platform behind them. While the signup process for a new Cloud Pet requires parental consent in compliance with COPPA, all the data was stored in a readable format and out in the open. Stored personal information needs to be encrypted and the system used to access it needs to be audited by security experts.
The 2 million voice recordings that were stolen and exposed is a potential COPPA violation. The company should have taken efforts to purge unused data, not store it indefinitely. If the stolen messages were all in queue, waiting on delivery, it is more acceptable. If they were already played, done with, and just sitting in a data pile, then it may be a violation.
Read our guide to COPPA for games and connected toys for more information.
Problem #2
While the password data that was stolen was encrypted, the lack of password strength requirements on the platform resulted in hackers being able to easily guess a significant number of passwords.
Workinman’s advice
Yes, strong password requirements can get annoying for users, but a longer, more unique password is critical to prevent these types of hacks.
Strong password systems can actually be made fun and easier to remember for users. Let them use whatever password they want, then ask them to respond to a few more prompts, such as favorite color, favorite animal, and color of the plush-animal’s fur. While the three additional prompts are easy for the user to recall and input (multiple choice), they create a more complex set of credentials for a hacker to guess.
Furby Connect
The popular, yet slightly creepy, mammalian-bird creature that kids love became even more disturbing around the 2016 holiday season after serious vulnerabilities were revealed. This modern version of the classic toy uses Bluetooth and a companion mobile app to allow children to interact, receive updates, communicate with other Furbies, and receive audio content (Furby loves to sing). In early 2017 it was discovered that a hidden debug menu could be accessed and virtually anyone with a Bluetooth device could connect and change this critter’s behaviors.
What went wrong?
Problem #1
Youtube channel Jeija uploaded a video demonstrating an exploit that allowed any phone/tablet to connect to the toy over Bluetooth and easily access a hidden debug menu. From there, one can send behavior commands to the Furby, change settings, read sensor statuses, and push new audio content. All of these can be done without needing physical access to the toy, one only needs to be in range. That means powered-up Furbies can be modified as they sit there on store shelves.
Workinman’s advice
Again, we run into the lack of Bluetooth authentication-on-pairing issue we saw with the Kayla and Toucan. Adding a simple confirmation step to the pairing process will help thwart unauthorized connections.
The more serious issue is the open access to the debug menu. This should have been turned off, limited, or password protected in the release firmware.
Problem #2
The audio updates the Furbies receive over-the-air as a feature of the toy can also be easily modified to contain custom audio files.
Workinman’s advice
The update file should either be encrypted or use some proprietary format or key that makes it difficult to modify.
Designing Safer Smart Toys
The key to keeping toys safe as they take on more advanced and open technologies is proper planning and a security-conscious developer. Workinman Interactive has over a decade of experience designing games and apps for the youth market, with Security and COPPA as a few of our many areas of expertise. Let’s chat about how we can help your toys launch and remain safe and successful.
