{"id":14679,"date":"2017-04-17T13:37:38","date_gmt":"2017-04-17T17:37:38","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=14679"},"modified":"2019-11-15T06:48:26","modified_gmt":"2019-11-15T11:48:26","slug":"kids-devices-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/kids-devices-vulnerabilities\/14679\/","title":{"rendered":"Kids&#8217; toys have serious privacy problems"},"content":{"rendered":"<p>Considering the sweeping regulations and laws meant to safeguard children\u2019s privacy in particular, you might think electronic devices and connected toys for kids would be particularly safe and secure. We generally regard children\u2019s privacy as sacrosanct \u2014 kids are particularly vulnerable to advertisers, marketers, predators, and more.<\/p>\n<p>With each new data leak brought to light, it becomes ever more clear that we cannot trust manufacturers to take care of our security, or the security of our children. Let\u2019s analyze a couple of examples to understand the nasty surprises smart toys can hold.<\/p>\n<h2>Spying<\/h2>\n<p>In December 2016, privacy advocates <a href=\"http:\/\/https:\/\/epic.org\/privacy\/kids\/EPIC-IPR-FTC-Genesis-Complaint.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">filed a complaint with the US Federal Trade Commission against Genesis Toys<\/a>, producer of <a href=\"https:\/\/www.kaspersky.com\/blog\/my-friend-cayla-risks\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Cayla dolls<\/a> and i-Que toy robots. Another defendant was Nuance Communications, the company behind the speech-recognition technology enabling the toys to converse with kids.<\/p>\n<p>The plaintiffs were quite clear from the start: \u201c<a href=\"https:\/\/epic.org\/privacy\/kids\/EPIC-IPR-FTC-Genesis-Complaint.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">This complaint concerns toys that spy.<\/a>\u201d<\/p>\n<p>Let\u2019s examine the elements of the claim:<\/p>\n<ul>\n<li>The app Cayla dolls use to interact requires permission to access files stored on a device, and i-Que\u2019s app asks for permission to access the device\u2019s camera. The vendor does not explain why the apps need those permissions. Moreover, permission to access the camera is not cited on the official website or in the demo video.<\/li>\n<li>To connect to a smartphone or tablet, the toys use Bluetooth, an insecure connection that does not require authentication. In addition, the toy does not notify users when it connects to a device. This insecurity can allow an intruder not only to eavesdrop but also to talk to the kid.<\/li>\n<li>The toys advertise, mentioning various brand names during conversation.<\/li>\n<li>The Cayla doll app prompts kids to provide personally identifiable information: parents\u2019 names, place of residence, name of school, and more.<\/li>\n<li>Both apps send recordings of conversations to Nuance Communication\u2019s servers, where they are analyzed to improve responses. The recordings are stored on the servers, again for the purpose of improving the service.<\/li>\n<li>Vendors fail to clearly explain what kind of data they gather from kids.<\/li>\n<\/ul>\n<p>Genesis Toys\u2019 spying capabilities were sufficient cause for German regulators to ban their sales entirely. Owners of insecure toys were urged to <a href=\"https:\/\/www.kaspersky.com\/blog\/my-friend-cayla-risks\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">get rid of them<\/a>. The German government identifies such toys as concealed surveillance devices, which are prohibited by law.<\/p>\n<p>In December 2016, the Consumer Protection Board of Norway <a href=\"https:\/\/fil.forbrukerradet.no\/wp-content\/uploads\/2016\/12\/complaint-dpa-co.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">also expressed its concern<\/a> about privacy issues in Cayla dolls and i-Que robots.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/lAOj0H5c6Yc?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>By contrast, the British Toy Retailers Association <a href=\"http:\/\/www.bbc.com\/news\/world-europe-39002142\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">commented to the BBC<\/a> that Cayla \u201coffers no special risk.\u201d<\/p>\n<h3>Insecurity<\/h3>\n<p>In another security incident, \u201cleak\u201d comes nowhere close to describing the magnitude of the breach. To extend the metaphor, it was a catastrophic dam break that caused a flood, or even a deluge, of personal data. Or, to be painfully precise, there was no dam to begin with.<\/p>\n<p>Spiral Toys\u2019 CloudPets are plush animals that exchange messages between kids and parents. The toy connects to parents\u2019 smartphones over Bluetooth, and parents use a special app to connect to the toy.<\/p>\n<p>It may be a great way for parents to stay in touch with their kids, but the content gathered by the system was not properly secured. The database of user credentials was not protected at all. Anyone could connect to the server without authentication, look up the data, or duplicate the database and store it on another computer.<\/p>\n<p>Security researcher Victor Gevers noticed the issue and notified the vendor on December 31, 2016. Then Troy Hunt, a renowned security expert, received from an anonymous source a file containing <a href=\"https:\/\/www.troyhunt.com\/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">more than half a million CloudPets user records<\/a>. In addition to the child\u2019s name, each record contained a birth date and information on relatives the kid talked to through the toy. The overall count of compromised CloudPets user records surpassed 800,000.<\/p>\n<p>An outsider in possession of the password can download all messages sent through the toy. Unlike the other data, users\u2019 passwords were hashed to protect them. Hashing provides some protection, although brute-force attacks can still reveal passwords, particularly simple ones.<\/p>\n<p>Unfortunately, it\u2019s also quite possible to eavesdrop on conversations without the password. As it turned out, the recordings of messages and images were stored in the cloud on an Amazon S3. An attacker had only to click a link from the compromised database to get a sound file from the server. The total number of available recordings surpassed 2,000,000.<\/p>\n<p>Of course, it wasn\u2019t only white hats who learned about the insecurity. The server storing kids\u2019 data turned into a mess, with database copies being deleted and ransom demands made. The database was subsequently taken down, although copies could still be out there.<\/p>\n<p>Spiral Toys did not respond to the people trying to notify it about the problem, which included Gevers, Hunt, Hunt\u2019s informant, and reporter Lorenzo Franceschi-Bicchierai. Then, in March 2017, the US Senate requested Spiral Toys come clean on the data leaks and its data-protection policies. Troy Hunt <a href=\"http:\/\/files.troyhunt.com\/03.07.17%20BN%20Letter%20to%20Spiral%20Toys%20re%20Data%20Breach.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">published<\/a> the text of the request.<\/p>\n<p>Spiral Toys finally responded \u2014 to the Attorney General of California. DataBreaches.net <a href=\"https:\/\/www.databreaches.net\/spiral-toys-sends-something-to-the-california-attorney-general-but-what-is-it\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">published the response<\/a>. The company said it was made aware of the incident on February 22 by Franceschi-Bicchierai, who learned about the compromise from an unnamed source. Although a number of security researchers tried to get in touch with the company before February 22, Spiral Toys said it never got those messages and was investigating the cause.<\/p>\n<p>The leak, Spiral Toys pointed out, was part of a massive attack on MongoDB installments all over the Internet. Voice messages and pictures were not affected, said the company, because they were stored on another server. The compromised database was not the main database, it said, but a temporary one used by developers.<\/p>\n<p>Spiral Toys also published a <a href=\"https:\/\/cloudpets.zendesk.com\/hc\/en-us\/articles\/115003696948-CloudPets-Data-Breach-FAQs\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">FAQ for users containing the above information<\/a> and noting the company\u2019s new, stronger password requirements.<\/p>\n<h3>Open databases<\/h3>\n<p>Other prominent leaks include the database <a href=\"https:\/\/www.kaspersky.com\/blog\/hello-kitty-hacked\/10916\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">of the official website on the company behind Hello Kitty toys<\/a> (3,300,000 user records compromised) and <a href=\"https:\/\/www.kaspersky.com\/blog\/vtech-toys-hacked\/10697\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">the database of VTech\u2019s online store<\/a> (5,500,000 user records and a huge amount of kids\u2019 photos compromised). Both incidents happened in 2015.<\/p>\n<p>The CloudPets service and Hello Kitty website developers used the MongoDB database management solution, which made a lot of headlines after hackers compromised (or, more precisely, got full control over) tens of thousands of databases.<\/p>\n<p>Owners of hijacked databases may be victims, but they are not innocent. By failing to require authorization, MongoDB left database doors wide open, and by using open databases, manufacturers indicated they didn\u2019t care.<\/p>\n<p>Of course, MongoDB is not the entire problem \u2014 the overall state of security needs work. All efforts by regulators, privacy advocates, and security experts simply cannot overcome the speed of new tech adoption and the overall trend of user data devaluation.<\/p>\n<p>By the way, after the compromise of MongoDB, hackers undertook massive attacks of distributed database management systems. Any unprotected database <em>will<\/em> end up leaked online, and the average user won\u2019t be able to do a thing about it. It\u2019s cold comfort that one database leak was just a temporary, auxiliary database if the data was real. Shutting down a compromised system doesn\u2019t magically make personal data private again.<\/p>\n<h2>Tips for parents<\/h2>\n<p>Be cautious about giving your kid a smart electronic toy. In particular, note the following red flags:<\/p>\n<ul>\n<li><b>If the toy sends data to the Internet.<\/b> Many toys do, and the trend even extends to regular stuffed toys.<\/li>\n<li><b>If you can\u2019t control the toy\u2019s actions.<\/b> At least Cayla dolls have a flashing indicator showing the microphone is on. With mobile apps, you may not even know when they start. Kaspersky Lab has found that 96% of apps start in background mode, <a href=\"https:\/\/www.kaspersky.com\/blog\/secret-life-of-apps\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">even if a user does not launch them<\/a>.<\/li>\n<li><b>If a toy is equipped with a microphone and a camera.<\/b> It\u2019s not just advanced teddy bears and robots \u2014 this category includes mobile apps with <a href=\"https:\/\/www.kaspersky.com\/blog\/android-permissions-guide\/14014\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">relevant permissions<\/a>.<\/li>\n<li><b>If a toy pulls personal information out of the kid.<\/b><\/li>\n<li><b>If the settings are too simple.<\/b> For example, a Bluetooth connection does not require authentication.<\/li>\n<\/ul>\n<p>Even one of these points should be enough to reconsider the balance of connected-toy fun and your child\u2019s privacy.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Think connected toys for kids are more secure than those for adults? Think again.<\/p>\n","protected":false},"author":2049,"featured_media":14680,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,1788,9],"tags":[527,89,961,1065,43,2000,97,131,1932],"class_list":{"0":"post-14679","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-privacy","9":"category-tips","10":"tag-hacks","11":"tag-kids","12":"tag-leaks","13":"tag-online-services","14":"tag-privacy","15":"tag-raising-kids","16":"tag-security-2","17":"tag-tips","18":"tag-toys"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/kids-devices-vulnerabilities\/14679\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/kids-devices-vulnerabilities\/11038\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/kids-devices-vulnerabilities\/9092\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/kids-devices-vulnerabilities\/10405\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/kids-devices-vulnerabilities\/10144\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/kids-devices-vulnerabilities\/14574\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/kids-devices-vulnerabilities\/6948\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/kids-devices-vulnerabilities\/9100\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/kids-devices-vulnerabilities\/6611\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/kids-devices-vulnerabilities\/10074\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/kids-devices-vulnerabilities\/15313\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/kids-devices-vulnerabilities\/14679\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/kids-devices-vulnerabilities\/14679\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/kids\/","name":"kids"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14679","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2049"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=14679"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14679\/revisions"}],"predecessor-version":[{"id":29999,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14679\/revisions\/29999"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/14680"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=14679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=14679"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=14679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}