The Cost of Trust: How Secure Are Your Toys?
Consumers Must Demand that Internet-Connected toys Offer the Basics of Trust and Security
You’ve planned a precision military strike; readied your forces and resources to acquire the target when it’s at hand; and done all the intel and weighed your options between kinetic and digital operations.
You’re finally ready to acquire THE toy of the holiday season.
If your target is a connected toy, there is a new angle to consider: how secure is that toy? Is the connectivity of the toy potentially exposing personal data about your child?
This reality hit home last season with the reported breach of VTech, a manufacturer who offers multiple connected toys in its portfolio. The breach reportedly involved over six million records, including personal data and photos of children. At the time the VTech breach publicly surfaced, I was surprised at the tepid nature of the response. Breaches that involve data about veterans or children normally generate more outrage. But the VTech breach seemed to quickly fade from relevance.
I was candidly banking on the outrage of mothers. My boys were young when Steve Irwin and his Crocodile Hunter show were quite popular. Irwin’s fame took a direct hit when a video of him entering a crocodile pit with his infant son in his arms surfaced. To say that the collective mothers of the world did not approve of the visual is an understatement. Sales of Irwin’s videos declined because, while it was the kids who watched, it was the moms who bought. Moms don’t respond well at the thought of children being placed in harm’s way.
I therefore anticipated a similar reaction from moms to the VTech breach. I was sure news that photos of children were exposed to theft would illicit concerns about the trust of connected toys. But I can find no evidence that buying behaviors toward connected toys have changed, despite practical warnings such as the VTech breach.
Last month, the Mirai botnet demonstrated how accessing connected devices and using them to execute a denial of service attack could slow down Internet traffic on the Eastern seaboard to a crawl. Mirai was implemented using DVRs and connected security cameras, which were easily exploited due to poor security design and implementation. The lack of security and trust in connected products was instantly thrust into the spotlight.
Like the devices exploited in the Mirai attack, it is safe to assume that connected toys fall short of secure design or best practice-level implementation of security protocols. Passwords, if they exist at all, are likely set to easily obtained defaults that make connected toys easy targets. After all, a connected toy with a camera has probably the same basic electronics as a remote security camera.
You can be equally assured that the practices around securing the data collected by the device is likely non-existent. Those who have read my articles before know I stress an important maxim: if a device is connected, it collects data, and that data is sent somewhere and stored. This is simply how connected devices work. What data is collected, where the data is stored, and how the data is used should all be questions asked in the new connected world—even for toys.
Industries like financial services have been dealing with security and trust well before the Internet existed, and when they moved into the connected world, security and trust were, and are, a critical foundation of their online business offerings. Addressing security and trust is a completely new requirement for a host of industries as they enter the connected world. Until they catch up, it is reasonable to have concerns about the security of all sorts of connected devices, from toys to appliances to cars.
For automotive, the watershed moment came when Charlie Miller forced a Jeep vehicle into a ditch after attacking the vehicle’s systems. Suddenly, consumers became very concerned about the trust of their vehicle. Automobile manufacturers have taken a crash course in security and are pushing security requirements through their supply chains. I thought the VTech hack would be a similar watershed moment for toy manufacturers.
So how do consumers protect themselves in this connected world?
1. Go to the manufacturer’s website and look for posted information on security and privacy. Particularly, information on how they handle data collected from their toys. I know industry groups like the Consumer Technology Association are working hard to educate their member companies on security and encouraging the use of maturity models such as BSIMM.
2. Research the specific toy to determine what data is collected by the manufacturer. Specifically, does the toy collect personal data or photos? Investigate if the toy had options limiting what data is shared with the manufacturer. Examine what security protocols like password protection are included with the toy. For example, is the password hard-coded or can it be changed?
3. As a practical matter, seriously consider the risks before providing any detailed personal information about your child to a toy manufacturer. Ask why such personal information is required to use the toy. If you have a choice between a manufacturer providing what appears to be reasonable security safeguards and one that does not, choose the toy you believe you can trust even if it is more expensive.
I suppose I could show my age and suggest something less connected like a bicycle, but I know the days of connected toys are here to stay. Consumers must demand that these toys offer the basics of trust and security and become discerning about adding security and trust to their buying parameters.