Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Penetration Testing

Hacking Connected Toys is Child’s Play: Penetration Testing Smart Toys

Hacking Connected Toys is Child’s Play: Penetration Testing Smart Toys
Written by

Elliott Thompson

Published on

30 Oct 2019

Hacking Connected Toys is Child’s Play: Penetration Testing Smart Toys


Cuddly animals, toy cars, dolls and action figures will never go out of style, but the latest versions come with a host of interactive features that go far beyond the LED lights and recorded sounds the most technologically advanced toys had when I was a kid.


Back then, I thought Teddy Ruxpin (a talking bear who could read you stories if you put a cassette tape in his back) was really advanced. Now, I have colleagues who couldn’t tell you what a cassette tape looked like, and kids’ toys come complete with microphones, speakers, cameras, and WiFi connections.


While connected toys are highly desirable, they aren’t always safe. Just like any other IoT device, connected toys can be vulnerable to attacks by hackers, leading to data theft. In some cases, they can even be hijacked entirely.


So what makes some of them vulnerable? And is there anything parents can do to keep their kids’ devices locked down? Answering these questions, and helping families protect themselves from hackers, requires cybersecurity insight and an understanding of risk management software and services – something that penetration testers at SureCloud offer.


How can smart toys be hacked?

Vulnerabilities in popular children’s devices are out there, waiting to be exploited. Insecure development practices, default passwords, and poor update mechanisms tend to be the culprits for letting hackers in.


This is something I had the first-hand experience of last year when I was asked to take part in a penetration testing exercise by Test Ankoop, the Dutch consumer organization and equivalent of the UK’s Which?


SureCloud’s cyber team was asked to test the security of a variety of devices around volunteers’ homes to the limit, and I picked up the VTech Storio Max – a tablet aimed at children as young as three years old.


After a sleepless night of research and tinkering, I found that not only could data be extracted from the device, it could be hijacked to chat with or spy on the device’s young owners – a nightmare scenario for any parent.


What can parents do to prevent smart toy hacks and spying?

After several high-profile vulnerability disclosures that led connected toys to be patched or withdrawn from sale entirely, toy companies seem to be more security-conscious when building the latest models (thanks to organizations like UNICEF). Still, no gadget can ever claim to be 100% unhackable. Parents may be apprehensive about giving connected toys to their children, but there are a few steps they can take to protect their children’s privacy:


1. Beware old toys

Older connected toys may be more cost-effective than the very latest kids’ gadgets, but they may be running on outdated firmware. Some of them are very simple and cheaply made, and security isn’t always as highly prioritized as it should be. Parents should do their research to see if the toy is still on sale, or if any security updates need to be applied.


2. Do your research

When I begin penetration tests, I start with a Google search to see if anyone else has discovered vulnerabilities in the device I’m testing. Parents should do the same when they’re looking to buy connected smart toys. A simple Google search will reveal whether a device is known to be unsafe or if any recommendations will make it more secure.


3. Update any default passwords

One of the ways that hackers break into IoT devices is by going through lists of default passwords. It’s often highly effective because the manufacturer’s default passwords are so commonly unchanged, but failing to change passwords is just like buying a combination lock and leaving it on 0000. Parents should change any default passwords to something different, difficult to guess and distinct from other passwords they use to avoid this easy hack.


4. Secure your home network

If your home network is insecure, the devices that use it could be at higher risk. Just as default passwords on devices should be swapped out for something more secure, the same should be done with your home broadband router. Disable WPS, and look up your router every now and again in case it has any vulnerabilities of its own that need to be patched. TechRadar outlines some more steps to keep your home WiFi secure.


5. Patch it up

Regular patching is one of the simplest ways to ensure your devices are as safe as they can be, but it’s often much harder to update a teddy than a normal laptop. Connected toys often have a “parent mode” where essential updates can be completed. Before your child plays with the toy for the first time, you should use this to apply any patches – and make sure you look for any further updates regularly and apply them as necessary.


When a cybercriminal breaks into a device, they can do so without raising any alarms. A penetration tester like me, on the other hand, will disclose the vulnerability to the manufacturer so it can be fixed. The work that we do in exposing vulnerabilities is vital. You can hear the inside story behind the VTech Storio Max hack in our webinar.

Want to learn more? Watch Elliott’s webinar presentation on hacking into VTech child’s devices and his top tips for safeguarding children’s gadgets.

About SureCloud

SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle, from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.