Privacy and safety risks
The Federal Bureau of Investigation (FBI) has issued a public service announcement that encourages consumers to carefully consider cyber security before introducing smart, interactive, internet-connected toys into their homes.
“Smart toys and entertainment devices for children are increasingly incorporating technologies that learn and tailor their behaviors based on user interactions,” the announcement reads.
“These toys typically contain sensors, microphones, cameras, data storage components and other multimedia capabilities – including speech recognition and GPS options. These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.”
According to the FBI, the collection of a child’s personal information combined with a toy’s ability to connect to the Internet or other devices raises concerns for privacy and physical safety.
For example, personal information (e.g., name, date of birth, pictures, address) is typically provided when creating user accounts. In addition, companies collect large amounts of supplemental data, such as voice messages, conversation recordings, past and real-time physical locations, Internet use history and Internet addresses/IPs. The exposure of such information, says the FBI, could create opportunities for child identity fraud. Moreover, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos and known interests to garner trust from a child could present exploitation risks.
As the FBI announcement notes, data collected from interactions or conversations between children and toys are typically sent and stored by the manufacturer or developer via server or cloud service.
“In some cases, it is also collected by third-party companies who manage the voice recognition software used in the toys,” the FBI statement elaborates. “Voice recordings, toy Web application (parent app) passwords, home addresses, Wi-Fi information, or sensitive personal data could be exposed if the security of the data is not sufficiently protected with the proper use of digital certificates and encryption when it is being transmitted or stored.”
According to the FBI, the cyber security measures used in the toy, the toy’s partner applications and the Wi-Fi network on which the toy connects directly impacts the overall user security.
“Communications connections where data is encrypted between the toy, Wi-Fi access points, and Internet servers that store data or interact with the toy are crucial to mitigate the risk of hackers exploiting the toy or possibly eavesdropping on conversations/audio messages,” the Bureau adds. “Bluetooth-connected toys that do not have authentication requirements (such as PINs or passwords) when pairing with the mobile devices could pose a risk for unauthorized access to the toy and allow communications with a child user. It could also be possible for unauthorized users to remotely gain access to the toy if the security measures used for these connections are insufficient or the device is compromised.”
Continuing concern over unsecured IoT devices
Concerns over unsecured IoT devices were also articulated by a recent U.S. Department of Homeland Security (DHS) report, which emphasized the importance of implementing security at the design phase by using hardware that incorporates security features to strengthen the protection and integrity of a device. This includes leveraging computer chips that integrate security at the transistor level – embedded in the processor itself – to provide encryption.
In addition, the United States Government Accountability Office (GAO) published a detailed report that explores how the growing ubiquity and pervasive connectivity of IoT devices and networks may pose significant security risks. For example, unauthorized individuals and organizations could gain access to unsecured IoT devices and use them for potentially malicious purposes, including fraud or sabotage.
“Without proper safeguards, these systems are vulnerable to individuals and groups with malicious intentions who can intrude and use their access to obtain and manipulate sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks,” the report states. “The threat is substantial and increasing for many reasons, including the ease with which intruders can obtain and use hacking tools and technologies.”
As the U.S. GAO notes, threat actors make use of a variety of techniques that may compromise information or adversely affect devices, software, networks, an organization’s operations, an industry, or the Internet itself. Attack vectors include denial-of-service, distributed denial-of-service (DDoS), malware, passive wiretapping, structured query language injection, war driving and zero-day exploits. Therefore, says the U.S. GAO, designing and incorporating security controls into IoT devices from the initial design to the operational environment during development may help curtail vulnerabilities.
“As the number of deployed IoT devices grows, the risk of exploitation also grows. Any device that is connected to the Internet is at risk of being attacked if it does not have adequate access controls,” the report explains. “For example, as The Internet Society has suggested, an unprotected television that is infected with malware might send out thousands of harmful emails using the owner’s home Wi-Fi Internet connection.”
In addition, says the report, many IoT devices are configured with identical or near identical software and firmware, which can magnify the impact of successfully exploiting a technical vulnerability common to all of them. For example, security vulnerabilities that are identified for one type of IoT device might extend to all other IoT devices that use that same underlying firmware or share the same design characteristics. This significantly increases the potential for successful attacks.
It should be noted that the U.S. Federal Trade Commission filed a complaint against D-Link in January 2017, alleging that inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumer privacy at risk. Specifically, the FTC charged that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras. The FTC complaint against D-Link followed cases brought against both ASUS and TRENDnet.
“When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true,” the FTC adds. “[This is why] the FTC has provided guidance to IoT companies on how to preserve privacy and security in their products while still innovating and growing IoT technology.”