In November last year, Consumer rights group Which? warned people about serious security loopholes in popular Bluetooth-enabled toys such as the Furby Connect, I-Que Intelligent Robot, Toy-fi Teddy, and CloudPets that could pose a major risk to the privacy and safety of children.
Critical vulnerabilities in smart toys
The group noted that a range of Bluetooth-enabled toys named CloudPets featured serious security issues that allowed malicious actors to hack them and make them play their own voice messages. A kitten version of CloudPets was previously hacked and made to order its own cat food from a nearby Amazon Echo, and a researcher was able to hack into the toy from outside the street.
"More care needs to be taken when designing smart gadgets and toys, and the security and privacy of the user should not be left as afterthoughts. In the case of CloudPets, for example, some sort of authentication system could have been implemented when connecting via Bluetooth to increase security," said Which?
According to several reports, Amazon and eBay have decided to pull CloudPets from their online stores citing security concerns. The decision was taken after research carried out by the likes of ContextIS and Troy Hunt exposed security vulnerabilities in CloudPets products.
Commenting on the pulling of CloudPets products by Amazon and eBay, David Kennerley, Director of Threat Research at Webroot, said that it’s great to see retailers take a stand against poorly designed and configured IoT devices.
"IoT devices have been rapidly embraced by the consumer market and enterprises alike. Having an array of connected devices by their very nature increases the potential attack surface area of the network, that when compromised could grant an attacker access sensitive and highly valuable data. This is the same regardless of whether the device is in a large enterprise or your living room.
"Manufacturers of these devices have a responsibility to businesses and customers to ensure that security is built in during the development phase, with appropriate controls in place regarding the processing, storing and transit of end user data, whether remotely or locally. Mechanisms should be implemented that easily allow updates to be applied, while ensuring devices are easy to security harden. For example, enforcing the mandatory changing of default passwords.
"End users need to do their research, understanding the security risks associated with a particular IoT product, where possible. Once in place, the maintenance of the device must be prioritised to ensure ongoing resilience. IoT isn’t something you can setup once and forget," he said.
Deral Heiland, IoT Research Lead at Rapid7, told TEISS that in order to facilitate a plug-and-play experience and to make functionality simple, toy-makers are implementing Bluetooth and Bluetooth low energy connectivity in Bluetooth-enabled toys without adequate security.
"I am of the belief we can have both [usability and security], but consumers must face the fact that better security such as improved communication protections will add more complexity to the products, but if well designed and properly communicated, then the complexity should be minimal, making it possible for us have better-secured products which are easy to operate and maintain," he added.