How dangerous is a teddy bear or a doll? In the Internet of Things era, it’s not an idle question but one for parents and regulators to ponder seriously.
On Monday, Troy Hunt, the cybersecurity expert who maintains the “Have I been pwned?” database of major breaches affecting the clients of internet businesses, revealed a problem with CloudPets, a series of cuddly toys made by a U.S. company called Spiral Toys. The toys allow parents to talk with their kids remotely. The conversations were recorded and stored — along with users’ encrypted passwords — on an unprotected server that belonged to a Romanian company called mReady. The passwords were easy to break.
Hunt listened to some of the messages — sweet nothings kids want to say to their parents. Any malicious actor could have figured out how to communicate with the kids. Apparently, the exposed database was located numerous times using a search engine that finds connected devices, and attempts were made to hold Spiral Toys for ransom.
It was useless: According to a quarterly report it filed in the summer of 2016, the tiny, loss-making company had stopped making toys. Which, of course, hardly solves the problem for the parents who still have CloudPets in their homes.
This is not the first time connected toys have been found to expose kids in this way. Cayla, a doll made by Genesis Toys, allowed strangers — and, apparently, advertisers — to speak directly to children.
Another Genesis toy called i-Que co-starred with Cayla in a complaint to the Federal Trade Commission in the U.S. while a German regulator, the Federal Network Agency, this month banned Cayla outright, saying it was essentially a spying device. The regulator said it was testing other connected toys.
The much larger company Mattel has put out a lengthy list of frequently asked questions designed to convince parents that its web-connected Hello Barbie is safe. In 2015, security researcher Matt Jakubowski claimed to have hacked it, accessing sound files and location data.
Most parents understand what’s wrong with letting their kids use social networks and have their locations and activities tracked. Instinctively, many won’t even post their kids’ pictures online — and that’s probably wise because their own activity is being tracked and bad actors can get access to the data. But there appears to be less care involved in buying all sorts of connected toys, some of which, if hacked, make life easy — if not as exciting as a hacked doll would make it — for a stalker. VTech, the company that makes the Kidzoom DX — a kind of children’s smartwatch that was popular during the last holiday season — had been hacked in 2015, providing data on hundreds of thousands of kids who had used the firm’s toy laptops.
The opportunities for bullying, extortion, even kidnapping using the connected toys are endless. But adults’ information is also at risk from them: The toys can be conduits into home networks. A case is even known in which an internet-connected toy robot was used to take a picture of someone’s apartment keys.
Of course, every internet-connected object — a thermostat, a home lighting system, a car — can be unsafe. But adults are supposed to be qualified risk-takers, yet they expose their children at an increasing rate. In late 2015, Juniper Research estimated the size of the smart-toy market that year at $2.8 billion and predicted it would top $11 billion in 2020. Millennial parents are connected toy makers’ biggest hope: They allow their kids more screen time than previous generations of moms, and they generally trust technology, and technology companies, far more than analog-age people ever could. According to BSM Media, a company that specializes in marketing to mothers, 38 percent of moms buy connected toys because they “look educational.”
Like most of the data we voluntarily donate to internet companies, our kids’ data probably won’t be used for an evil purpose. But one breach is enough to change that, and to plunge a family into hell. If parents don’t realize that, it can only fall to regulators to make sure kids are protected.
Leonid Bershidsky is a Bloomberg View columnist. He was the founding editor of the Russian business daily Vedomosti and founded the opinion website Slon.ru.