Internet of Toys in privacy warning

22 December 2017

Cyber security of Internet of Toys (IoT) continues to be a hot topic, with internet connected toys becoming the latest consumer product linked to privacy concerns.

Smart toys are big business with new connected devices being launched all the time - this Christmas parents could choose between connected robots, racing cars, interactive dolls and watches.

According to a recent European Commission report, the market for connected toys is expected to reach EUR 10 billion by 2020 – up from just EUR 2.6 billion in 2015.

Smart toys can record sounds and images, the device’s location and other personal details, like name, age and gender. Despite the sensitive nature of children’s data, research has found that many connected toys may be lacking in basic cyber security, and in some incidences are putting personal data at risk.

SECURITY FLAWS

In November, consumer association Which warned of weak cyber security for connected toys. It tested a number of connected toys, including Furby Connect, the i-Que robot, Cloudpets and Toy-fi Teddy, and found that they used unsecured Bluetooth to connect with other devices.

German telecoms watchdog, the Federal Network Agency, also raised concerns earlier this year about My Friend Cayla dolls, which respond to a child’s questions by connecting to the internet.

Researchers revealed that hackers could potentially use the doll’s Bluetooth connection to listen and talk to the child playing with it. Consumer groups in the US have also raised concerns about the toy and asked the authorities to act.

The past two years has seen security flaws exposed in a number of connected toys. For example, in 2016 toy-based technology company Vtech suffered a large data breach exposing the details of some six million children. Research also showed that it would be possible for hackers to steal personal information from a Wi-Fi Barbie doll.

More recently, in February 2017 a cyber security researcher discovered an open database containing links to more than two million voice messages recorded on cuddly toys produced by CloudPets.

The account information of more than 800,000 users was also stored on the database.

REGULATOR RESPONSE

Incidents like these have caught the attention of regulators and policymakers. For example, commenting on the Which findings, the UK’s National Cyber Security Centre (NCSC) called on manufacturers of connected devices to take every measure to ensure their products are safe to use.

A recent European Research Report called for better controls for the IoT. It said the ability of smart toys to record, store and share information about children raises concerns about their safety and privacy.

Data provided by children while they play - including the sounds, images and movements recorded by connected toys - is considered personal data protected by the EU data protection framework, as well as by the new General Data Protection Regulation (GDPR).

The GDPR, which applies from May 2018, will be challenging for smart toy manufacturers. It gives data owners new rights and places more stringent requirements on manufacturers.

Under the GDPR toy companies will need to obtain an individual’s consent for the processing of personal data, as well as be able to meet data owner’s requests to rectify or delete data, or to reject the use of data in profiling.

IOT THREAT

Toys are just one area where the numbers of internet connected devices are growing at a pace. Gartner predicts that there will be nearly 21 billion IoT devices by 2020, up from around 6.4 billion today.

However, IoT security has been shown to be wanting, and the expansion of devices exponentially increases the attack surface for hackers. In 2016, the Distributed Denial of Service (DDoS) attack against internet service provider Dyn used an army of botnets that included compromised webcams.

A recent report from Forrester Research predicts that IoT devices will lead to broader and more damaging cyber attacks.

Download Cyber Decoder 

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on cyber@jltgroup.com