Cuddly animals, toy cars, dolls and action figures will never go out of style, but the latest versions come with a host of interactive features that go far beyond the LED lights and recorded sounds the most technologically advanced toys had when I was a kid.
Back then, I thought Teddy Ruxpin (a talking bear who could read you stories if you put a cassette tape in his back) was really advanced. Now, I have colleagues who couldn’t tell you what a cassette tape looked like, and kids’ toys come complete with microphones, speakers, cameras, and WiFi connections.
While connected toys are highly desirable, they aren’t always safe. Just like any other IoT device, connected toys can be vulnerable to attacks by hackers, leading to data theft. In some cases, they can even be hijacked entirely. So what makes some of them vulnerable? And is there anything parents can do anything to keep their kids’ devices locked down?
Vulnerabilities in popular children’s devices are out there, waiting to be exploited. Insecure development practices, default passwords, and poor update mechanisms tend to be the culprits letting hackers in.
This is something I had the first-hand experience of last year when I was asked to take part in a penetration testing exercise by Test Ankoop, the Dutch consumer organization and equivalent of the UK’s Which? SureCloud’s cyber team was asked to test the security of a variety of devices around volunteers home to the limit, and I picked up the VTech Storio Max – a tablet aimed at children as young as three years old.
After a sleepless night of research and tinkering, I found that not only could data be extracted from the device, it could be hijacked to chat with or spy on the device’s young owners – a nightmare scenario for any parent.
After several high-profile vulnerability disclosures that led connected toys to be patched or withdrawn from sale entirely, toy companies seem to be more security-conscious when building the latest models. Still, no gadget can ever claim to be 100% unhackable. Parents may be apprehensive about giving connected toys to their children, but there are a few steps they can take to protect their children’s privacy:
Older connected toys may be more cost-effective than the very latest kids’ gadgets, but they may be running on outdated firmware. Some of them are very simple and cheaply made, and security isn’t always as highly prioritized as it should be. Parents should do their research to see if the toy is still on sale, or if any security updates need to be applied.
When I begin penetration tests, I start with a Google search to see if anyone else has discovered vulnerabilities in the device I’m testing. Parents should do the same when they’re looking to buy connected toys. A simple Google search will reveal whether a device is known to be unsafe or if there are any recommendations that will make it more secure.
One of the ways that hackers break into IoT devices is by going through lists of default passwords. It’s often highly effective because the manufacturer’s default passwords are so commonly unchanged, but failing to change passwords is just like buying a combination lock and leaving it on 0000. Parents should change any default passwords to something that’s different, difficult to guess and distinct from other passwords they use to avoid this easy hack.
If your home network is insecure, the devices that use it could be at higher risk. Just as default passwords on devices should be swapped out for something more secure, the same should be done with your home broadband router. Disable WPS, and look up your router every now and again in case it has any vulnerabilities of its own that need to be patched. TechRadar outlines some more steps to keep your home WiFi secure here.
Regular patching is one of the simplest ways to ensure your devices are as safe as they can be, but it’s often much harder to update a teddy than a normal laptop. Connected toys often have a “parent mode” where essential updates can be completed. Before your child plays with the toy for the first time, you should use this to apply any patches – and make sure you look for any further updates regularly and apply them as necessary.
When a cyber criminal breaks into a device, they can do so without raising any alarms. A penetration tester like me, on the other hand, will disclose the vulnerability to the manufacturer so it can be fixed. The work that we do in exposing vulnerabilities is vital. You can hear the inside story behind the VTech Storio Max hack in our recent webinar here.
SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.