Watchdog Group Claims Smart Toys Are Spying On Kids

The Center for Digital Democracy has filed a complaint with the Federal Trade Commission warning of security and privacy holes associated with a pair of smart toys designed for children. Mashable reports: "This complaint concerns toys that spy," reads the complaint, which claims the Genesis Toys' My Friend Cayla and i-QUE Intelligent Robot can record and collect private conversations and offer no limitations on the collection and use of personal information. Both toys use voice recognition, internet connectivity and Bluetooth to engage with children in conversational manner and answer questions. The CDD claims they do all of this in wildly insecure and invasive ways. Both My Friend Cayla and i-QUE use Nuance Communications' voice-recognition platform to listen and respond to queries. On the Genesis Toy site, the manufacturer notes that while "most of Cayla's conversational features can be accessed offline," searching for information may require an internet connection. The promotional video for Cayla encourages children to "ask Cayla almost anything." The dolls work in concert with mobile apps. Some questions can be asked directly, but the toys maintain a constant Bluetooth connection to the dolls so they can also react to actions in the app and even appear to identify objects the child taps on on screen. While some of the questions children ask the dolls are apparently recorded and sent to Nuance's servers for parsing, it's unclear how much of the information is personal in nature. The Genesis Privacy Policy promises to anonymize information. The CDD also claims, however, that My Friend Cayla and i-Que employ Bluetooth in the least secure way possible. Instead of requiring a PIN code to complete pairing between the toy and a smartphone or iPad, "Cayla and i-Que do not employ... authentication mechanisms to establish a Bluetooth connection between the doll and a smartphone or tablet. The dolls do not implement any other security measure to prevent unauthorized Bluetooth pairing." Without a pairing notification on the toy or any authentication strategy, anyone with a Bluetooth device could connect to the toys' open Bluetooth networks, according to the complaint.

Gotta say

[JustAnotherOldGuy]

I've got to say, this seems creepy to me. It's not just spying on kids, it's spying on whoever is in range. It's basically an open mic in your home, transmitting to god knows who.

Who knows what kind of conversations it might overhear, or how it might be mined for incriminating information. Or how something innocuous might be misinterpreted as grounds for an investigation by the police, CPS, the FBI, etc etc.

I'd bet my ass it's easy to hack to act as a remotely controllable audio bug by anyone with nefarious intent.

Even worse, who's to say the stream couldn't be modified to make it seem like it "heard" child abuse, criminal activity, domestic violence, drug dealing...the possibilities are endless. How would you dispute a recording from one of these things where you were supposedly heard discussing (or confessing to) illegal activity? How would you prove it wasn't real?

If I was paranoid, I'd say that some intelligence organization is pushing these kinds of things in order to establish a covert surveillance network that could be used for all sorts of evil shit. But that's crazy, right? The CIA/FBI/NSA would never want a bunch of microphones in everyone's home, right?

Re:Trend whores get what they deserve.

At least my thermostat doesn't stop working randomly and my lights don't turn on and off because someone flew their drone by my house. That, and my things don't participate in DDoS attacks.

What about all of the other toys?

[jbn-o]

I've got to say, this seems creepy to me. It's not just spying on kids, it's spying on whoever is in range. It's basically an open mic in your home, transmitting to god knows who.

So is a "smart" TV, a laptop computer, a tracker (a more appropriate name for a cell phone or mobile phone which recognizes the activity it does the most), and so many other voice-activated gadgets with network connectivity all running proprietary (read: untrustworthy by default) software. And a lot of these devices have cameras in them too, also under proprietary software control. And virtually all of them have been used by kids for years. Some of these devices have geolocation hardware in them too, that must make it easier to geotag the data the proprietors can acquire, keep, and share. I think it's great that people are finally getting around to thinking about the security and privacy implications when this is presented to them in the form of a toy but really this is far too late in coming.

Departing from the parent comment, situations like this are also a constant reminder of the profound inadequacies of modern-day IT experts who choose to surround themselves with these things, not in an experimental way to investigate them but as consumers who apparently value minor convenience more than their own privacy.

Only software freedom helps you enjoy all of these devices in a way where you, the user and owner of the device, can have a real say in what gets recorded, where that data is copied, and thus who gets access to that data. It's not about shutting these things out of your life entirely, it's about respecting who should control this data.