Dr Victoria Nash of the Oxford Internet Institute, gives advice on the security risks of smart toys that talk to the internet.
In early 2015, Ken Munro, a security researcher from Pentest, demonstrated that something was amiss with Vivid Toy’s talking doll Cayla.
The angelic-looking internet-connected doll was designed to use speech recognition software to ‘listen’ to its child owner, before searching online via a Bluetooth app on a parent’s phone for a supposedly safe and appropriate response.
Unfortunately, Cayla proved less than angelic in practice. Munro’s security tests revealed that Cayla’s software could be hacked, potentially turning her into a potty-mouthed liability by changing her database of appropriate responses.
Even more worryingly, Munro’s team demonstrated that the Bluetooth app used to connect to a parent’s phone was itself also insecure, leading to the possibility that a nearby stranger with sinister intent could themselves connect to the doll.
Whilst we have no evidence that any child came to harm playing with Cayla, this is not an isolated incident. Several other toy companies have garnered attention for their similar failure to provide safe online environments for children to play in, or to ensure that data collected is entirely secure. VTech, for example, suffered a massive loss of data in 2015, including pictures and videos of children generated from its toy camera range.
But beyond the alarm caused for the families that bought this doll, Cayla raises a broader issue. Many children’s toys are ‘smart’ now, with various integral features that either enable them to connect directly to the internet (such as CloudPets or Hello Barbie) or to be used alongside additional apps for an enhanced experience (VTech cameras or even Lego).
And whilst most of us are aware that using the internet brings risks of being hacked, or having personal data lost or misused, would we really expect this of our kids’ toys?
Part of the problem is that it’s not necessarily obvious from toy packaging that a ‘smart’ toy will only work if connected to the internet. Even if parents are aware of this requirement, it’s very hard to tell which toy companies take internet security and child safety seriously. Well-established companies such as Lego, who have been in the digital space for several years, have a more mature and better thought-through approach than many others who are newer to the market. But even this offers no guarantee.
What can parents do?
Certainly, the simplest option would be to leave internet-connected toys on the shelf. But this does seem like rather an extreme response, particularly for parents faced with demands from their children. So what else can parents do?
Right now, it’s hard to protect against all risks. One obvious option would be to buy toys from recognised, trusted brands, which might be expected to respond to any observed security flaws, like the criticisms Mattel faced when it released Hello Barbie just before Christmas 2015.
Another useful tip is to look for online reviews before buying the toy. Concerns about CloudPets were quick to surface, for example, and tech news websites are often ahead of the game.
Finally, it pays to read carefully any information that accompanies a connected toy. There may be options to switch off particular features, or details of what data is collected and how it is used.
In the longer term, we should hope that pressure from consumer rights groups and even governments might encourage toy companies to place easy-to-understand details of internet connectivity and data use on the packaging.
Ultimately, perhaps the most important point is that we shouldn’t be lulled into a false sense of security by a toy’s appearance. It may look like a teddy, but if it talks to the internet, then it’s effectively a computer.
Kids & the Connected Home: Privacy in the Age of Connected Dolls, Talking Dinosaurs, and Battling Robots (Family Online Safety Institute report)
Please note, the advice published on Parent Info is provided by independent experts in their field and is not necessarily the view of either Parent Zone or CEOP.