The security of internet-connected ‘smart’ toys has often raised its head in the public domain as a cause for concern, writes Paul Marshall, Chief Customer Officer, at Eseye, a supplier of cellular internet connections for IoT (Internet of Things) devices.
Earlier this year a complaint was filed in the United States to the Federal Trade Commission (FTC) against the makers of such toys, claiming security measures are not being taken to block hackers and therefore violate the USA’s Children’s Online Privacy Protection Act (COPPA).
Until now however a hack on this type of device had not been reported. That has now changed following a report this month from ethical hackers IOActive on an infiltration made into toy robots from three of the world’s most popular brands. The hack not only provided the ability to spy on the owners of the toys but they could also film them and gain access to personal information.
When a toy uses Wi-Fi in the home it could be relatively easy to hack and re-programme, so it could be sent instructions to update the firmware or change the way it operates. The hacker is then inside your trusted home security network – with greater ability to explore and hack other connected devices in your home, including your security cameras or alarm system. While infringement of anyone’s privacy is disturbing, the ability to spy through a smart toy also provides the dangerous ability to not only watch or communicate with a child, but also locate them.
The problems associated with securing connected toys, or any connected devices, are exacerbated by the fact that manufacturers don’t make just one – many make millions of the same thing. This means once somebody has one of those toys, they also have the ability to work out the vulnerabilities in all of those millions of products.
The configuration and certification of individual connected toys is therefore critical to ensure they are secure. However, providing this capability conveniently for the parent and cost effectively for the manufacturer has been an industry-wide problem for some time. But it can be achieved – by using a SIM, such as the AnyNet Secure, specifically designed as an automated solution to enable connected devices (including toys) to remotely and securely activate, connect, certify and authenticate.
The most important feature of this type of SIM is the ability to provision and launch the device onto a network without any physical contact. This means there’s no need for manual passwords or physical intervention in any way.
It’s a simple way to enable millions of parents to configure millions of toys; when they each register their child’s toy they can deliver their own security requirements directly into the SIM card over the air. Ultimately, the result is a vast reduction in risks for the manufacturer – and more importantly the parent.
