Watchdog Group Claims Smart Toys Are Spying On Kids

The Center for Digital Democracy has filed a complaint with the Federal Trade Commission warning of security and privacy holes associated with a pair of smart toys designed for children. Mashable reports: "This complaint concerns toys that spy," reads the complaint, which claims the Genesis Toys' My Friend Cayla and i-QUE Intelligent Robot can record and collect private conversations and offer no limitations on the collection and use of personal information. Both toys use voice recognition, internet connectivity and Bluetooth to engage with children in conversational manner and answer questions. The CDD claims they do all of this in wildly insecure and invasive ways. Both My Friend Cayla and i-QUE use Nuance Communications' voice-recognition platform to listen and respond to queries. On the Genesis Toy site, the manufacturer notes that while "most of Cayla's conversational features can be accessed offline," searching for information may require an internet connection. The promotional video for Cayla encourages children to "ask Cayla almost anything." The dolls work in concert with mobile apps. Some questions can be asked directly, but the toys maintain a constant Bluetooth connection to the dolls so they can also react to actions in the app and even appear to identify objects the child taps on on screen. While some of the questions children ask the dolls are apparently recorded and sent to Nuance's servers for parsing, it's unclear how much of the information is personal in nature. The Genesis Privacy Policy promises to anonymize information. The CDD also claims, however, that My Friend Cayla and i-Que employ Bluetooth in the least secure way possible. Instead of requiring a PIN code to complete pairing between the toy and a smartphone or iPad, "Cayla and i-Que do not employ... authentication mechanisms to establish a Bluetooth connection between the doll and a smartphone or tablet. The dolls do not implement any other security measure to prevent unauthorized Bluetooth pairing." Without a pairing notification on the toy or any authentication strategy, anyone with a Bluetooth device could connect to the toys' open Bluetooth networks, according to the complaint.

Re: Ahh

No, it doesn't. Xbox and Windows 10 both require keyword activation, which occurs on the device itself and not over the Internet, to open the gateway to Microsoft's NLP service. These toys apparently skip that important step and record EVERYTHING.

Re:Trend whores get what they deserve.

There's no good reason for a fucking doll (or refrigerator or thermostat or dog bowl or...) to have goddamn internet access.

As a dog, I agree with you on everything except the dog bowl.

Re:Trend whores get what they deserve.

No, you are a cow. Cows say Mooo. Moooo! Moooo! Moooo Cows Mooo! Mooo you internet connected cow!

Re:AI will replace your children

[Ol+Olsoc]

They're listening. They're learning. They're coming.

They're at least breathing pretty damn hard.

Gotta say

[JustAnotherOldGuy]

I've got to say, this seems creepy to me. It's not just spying on kids, it's spying on whoever is in range. It's basically an open mic in your home, transmitting to god knows who.

Who knows what kind of conversations it might overhear, or how it might be mined for incriminating information. Or how something innocuous might be misinterpreted as grounds for an investigation by the police, CPS, the FBI, etc etc.

I'd bet my ass it's easy to hack to act as a remotely controllable audio bug by anyone with nefarious intent.

Even worse, who's to say the stream couldn't be modified to make it seem like it "heard" child abuse, criminal activity, domestic violence, drug dealing...the possibilities are endless. How would you dispute a recording from one of these things where you were supposedly heard discussing (or confessing to) illegal activity? How would you prove it wasn't real?

If I was paranoid, I'd say that some intelligence organization is pushing these kinds of things in order to establish a covert surveillance network that could be used for all sorts of evil shit. But that's crazy, right? The CIA/FBI/NSA would never want a bunch of microphones in everyone's home, right?

Of course they do.

[techno-vampire]

They're a watchdog group. Their whole reason for existence is to spot things like this and call attention to them, even if there isn't really a problem. I'm not saying that they're making this up, but I'd take any claims like this with a grain of salt until there's some outside confirmation.

Re:Of course they do.

[Dutch+Gun]

We learned not to long ago that many Smart TVs just transmit everything they hear to a remote server in the clear. How many IoT devices are compromised already and are now being used as little attack droids? How about those Sony security cameras with built-in backdoors that was uncovered recently?

These days, your default assumption should be that any internet-connected device has zero concerns for your privacy, and is probably insecure enough to be placed immediately on a botnet as soon as any criminal cares to make the slightest attempt to compromise it. Why exactly would you think that children's toy manufacturers would do so much better when so many other IoT makers have been failing miserably to protect user privacy and security?

It's just a synonym

[jabberw0k]

Instead of "Smart" just say "Treacherous" -- as in, treacherous appliances, treacherous toys, and treacherous "telephones" which are entirely treacherous computers that give you only the flimsiest illusion of control.

Obligatory Simpsons did it!

[antifoidulus]

Simpsons did it!

Re:AI will replace your children

[PopeRatzo]

AI will replace your children

At least the AI won't bring some fruity hipster with a man-bun over to the house for Thanksgiving like my daughter recently did. I mean, he was a nice enough guy and all, but he seemed a little low-T if you catch my drift. I tried to get him to watch football or go out back and play mumblety-peg or strip down to our briefs and try out some wrestling moves, but he demurred. He also wouldn't eat any of the turducken, saying that he was some kind of vegan or something. I mean, what the fuck is that all about? When I was his age, I lived on raw hamburger and Skoal Long Cut.

I guess my dream of my daughter marrying a first-round draft pick out of Alabama or something is just about gone. Well, it is what it is. Kid's will break your goddamn heart. you know?

I may be old, but...

[PopeRatzo]

At least my Lincoln Logs never spied on me.

And I'm so old that when I was five and told my dad I wanted Lincoln Logs for Christmas, he handed me a hand axe, a piece of flint and some beef jerky and dropped me off in the woods. I was out there in my little jammies in the middle of December and let me tell you, it got so cold I had to kill a deer and crawl inside to keep from freezing to death. It was like something out of The Revenant.

Yeah, I had a rough childhood, let me tell you.

Less nefarious than presented.

[Gravis+Zero]

As someone who actually looked and considered it, the toys are less nefarious than they seem to be accused of being. The physical toys are actually just (insecure) bluetooth speakerphone devices. Seriously, you can use the dolls to talk to people on the phone. Where the real danger lies is in the Android/iOS applications. I do not know if the application runs in the background 24/7 but I get the feeling you have to activate it to make the toy "smart" because always being on would cause battery drain issues. If your kid already has their own Android/iOS device then you have already failed on the privacy front.

Re:Trend whores get what they deserve.

At least my thermostat doesn't stop working randomly and my lights don't turn on and off because someone flew their drone by my house. That, and my things don't participate in DDoS attacks.

Re: Ahh

[justthinkit]

As does Hello Barbie

What about all of the other toys?

[jbn-o]

I've got to say, this seems creepy to me. It's not just spying on kids, it's spying on whoever is in range. It's basically an open mic in your home, transmitting to god knows who.

So is a "smart" TV, a laptop computer, a tracker (a more appropriate name for a cell phone or mobile phone which recognizes the activity it does the most), and so many other voice-activated gadgets with network connectivity all running proprietary (read: untrustworthy by default) software. And a lot of these devices have cameras in them too, also under proprietary software control. And virtually all of them have been used by kids for years. Some of these devices have geolocation hardware in them too, that must make it easier to geotag the data the proprietors can acquire, keep, and share. I think it's great that people are finally getting around to thinking about the security and privacy implications when this is presented to them in the form of a toy but really this is far too late in coming.

Departing from the parent comment, situations like this are also a constant reminder of the profound inadequacies of modern-day IT experts who choose to surround themselves with these things, not in an experimental way to investigate them but as consumers who apparently value minor convenience more than their own privacy.

Only software freedom helps you enjoy all of these devices in a way where you, the user and owner of the device, can have a real say in what gets recorded, where that data is copied, and thus who gets access to that data. It's not about shutting these things out of your life entirely, it's about respecting who should control this data.

Re:been there done that

[silentcoder]

There actually IS such a show ?