- Security TWENTY Home
- Women in Security Awards
Dolls can be spies and books can be eavesdroppers. Are we keeping children safe from internet-connected toys? Paul Marshall, Chief Customer Officer, at IoT connectivity product company Eseye asks.
Two months ago – and just eight weeks before this year’s Safer Internet Day, a complaint was filed to the Federal Trade Commission (FTC) in the United States against the makers of internet-connected ‘smart’ toys, claiming that reasonable security measures are not being taken to prevent an unauthorised person from hacking the products.
Should the complaint be upheld, the impact on the smart toy market is likely to be heavy, as any subsequent ruling would determine the toys are violating the USA’s Children’s Online Privacy Protection Act (COPPA).
Infringement of anyone’s privacy is disturbing, but the invasion of a child’s privacy raises two key concerns: someone could watch or actually communicate with your child, and the possibility that someone could easily find out where your child is.
However, a recent report about the trends in internet-connected toys demonstrates the issue of security – or consumer concerns around this issue – are not being treated as a threat to the sector’s growth.
Yet the recent complaint filed to the FTC, along with a growing number of media reports on the likes of the ‘spying Barbie’, show that vulnerabilities in such toys, and other IoT devices, are very real. Perhaps a threat even greater than these vulnerabilities, is the lack of perception about the extent of the risks.
The ability to spy and locate a child through the internet-connected element of a toy isn’t the only vulnerability. If a toy uses Wi-Fi in the home it could be relatively easy to hack and re-programme, so it could be sent instructions to update the firmware or change the way it operates. The hacker is then inside your trusted home security network – with greater ability to explore and hack other connected devices in your home, including your security cameras or alarm system.
The problems associated with securing connected toys, or any connected devices, are exacerbated by the fact that manufacturers don’t make just one – many make millions of the same thing. This means once somebody has one of those toys, they have the ability to work out the vulnerabilities in all of those millions of products.
The configuration and certification of connected toys is therefore critical in order to ensure they are secure. However, providing this capability has been an industry-wide problem for some time. But it can be achieved – by using a SIM, such as the AnyNet Secure, specifically designed as an automated solution to enable connected devices (including toys) to remotely and securely activate, connect, certify and authenticate.
The most important feature of this SIM is the ability to provision and launch the device onto a network without any physical contact. This means there’s no need for manual passwords or physical intervention in any way.
It’s a simple way to enable millions of parents to configure millions of toys; when they each register their child’s toy they can deliver their own security requirements directly into the SIM card over the air. Ultimately, the result is a vast reduction in risks for the manufacturer – and more importantly the parent. After all, while a hack hasn’t been reported as yet, it is only a matter of time before one is.