This week we’re talking about . . . toys that spy on you
Forget about nanny cams – start looking a little more closely at your child’s ‘smart’ toys
Seeing the bigger picture: “smart” toys are sometimes at risk from hacking. Photograph: iStock/Getty Images
Say what now?
No, really. What are you talking about?
All those connected toys that seem so clever, responding to your child’s chatter. You know, like My Friend Cayla, or last year’s Hello Barbie. The toys use voice recognition, but none of that happens inside the toy – it’s sent off to the cloud, translated and sent back to the doll in rapid time. Experts have warned that connected toys could be hacked, putting your child at risk.
How exactly could they be hacked?
We’re not experts on My Friend Cayla, but people who claim to be knowledgeable on these things say that Cayla connects to your tablet or smartphone over unsecured Bluetooth. The problem there is that if your phone can connect to it, so can complete strangers in range of it.
Is this a new thing?
The hacking? No. There have been warnings about the security risks of these toys for more than a year now. Last year, researchers hacked into Cayla, describing the doll as a Bluetooth headset dressed up to look like a doll. Random pairing, man-in-the-middle attacks – there were more than a few things that raised security eyebrows. Particularly the Android app, which could be modified to make Cayla say some distinctly unchild-friendly things.
Toys are becoming increasingly “smart”. Take this year’s Furby, the Furby Connect, which connects to an app on your tablet via Bluetooth. Strictly speaking, it doesn’t need to connect to your tablet for anything except software updates, but it adds an extra dimension to play (a rather annoying one, mind you), including increasing your Furby’s knowledge of viral videos. Do you need it? No. Is it fun? Eh . . . for kids, yes. But there are other toys that rely heavily on some sort of wireless connection to function properly. Mix that with lax security and you might have a problem.
The moral of the story is: toy makers, buck up your ideas.
Is it likely to happen?
Never rule anything out. There were some very surprised – and rightly freaked-out – parents who realised that their internet-connected baby monitors were vulnerable to being hacked by outsiders a couple of years ago. So the general rule of thumb should be if it has a wireless or Bluetooth connection, proceed with caution and follow all the security protocols you can. Anything that can be connected to the internet or a wireless is potentially vulnerable to being hacked. And while companies can take all the steps they feel are necessary to prevent that from happening, or at least minimise the risk, all it takes is one tiny chink to take advantage.
There is another angle to consider. All those voice samples that are sent to the cloud to be analysed are subject to certain data protection regulations, but that’s a minefield and one that is changing all the time. And who reads the privacy policies that come with these devices? We’re betting not many people. (If you want to freak yourself out with exactly what Google knows about you, including listening back to some voice samples that Android captured, read more here.)
So what should I do then?
Read the fine print carefully. Be aware of the risks. And if in doubt, don’t connect the toy – although, for some of them, that would entirely defeat the purpose.