Investigation Finds Security Flaws In 'Connected' Toys (theguardian.com)

← Back to Stories (view on slashdot.org)

Investigation Finds Security Flaws In 'Connected' Toys (theguardian.com)

Posted by BeauHD on Tuesday November 14, 2017 @09:20AM from the always-listening dept.

An anonymous reader quotes a report from The Guardian: A consumer group is urging major retailers to withdraw a number of "connected" or "intelligent" toys likely to be popular at Christmas, after finding security failures that it warns could put children's safety at risk. Tests carried out by Which? with the German consumer group Stiftung Warentest, and other security research experts, found flaws in Bluetooth and wifi-enabled toys that could enable a stranger to talk to a child. The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets. With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access. Little technical knowhow was needed to hack into the toys to start sharing messages with a child.

32 comments

Min score:

Reason:

Sort:

IOT by Anonymous Coward · 2017-11-14 09:29 · Score: 0

Not surprisingly, this whole IOT fad has turned into a giant shit-show.
1. Re:IOT by viperidaenz · 2017-11-14 09:38 · Score: 1
  
  Not necessarily IOT, they're just bluetooth enabled, not internet connected.
2. Re:IOT by Opportunist · 2017-11-14 09:43 · Score: 3, Funny
  
  Intelligent Devices, Internet Of Things.
  Made for their acronym.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3. Re:IOT by Anonymous Coward · 2017-11-14 10:20 · Score: 0
  
  Did anyone else notice those weird pink things hanging out of camgirls' vajayjays about a year ago? They looked like some sort of prosthesis jammed into the girls' urethra. You saw two or three and wondered what sort of weird birth control or UTI prevention device it was. Then you saw more and more of them and realized that it was another fad and fairly much the epitome of vile, trashy American white women: money is the only thing that can bring them to orgasm. These tail-like things are called "ohmybod" or something like that and are IoT vibrators. The more money that you send to the camgirl, the more it vibrates. And there's not a whole lot holding it in. It is not in the urethra but is just left dangling out of the vagina. So when you see a girl dildoing herself with a regular toy, this weird IoT thing is competing for space. Which will it be: a faked penetrative orgasm via a pthalate-ridden Amazon pink jelly dildo or a real orgasm via several hundred dollars of audience participation?
  
  -=BeauHD=-
Tests carried out by Which? by Anonymous Coward · 2017-11-14 09:29 · Score: 0

I was wondering the same thing.
1. Re:Tests carried out by Which? by sbrown7792 · 2017-11-14 09:36 · Score: 1
  
  I thought the tests were supposed to be conducted by Who?
2. Re:Tests carried out by Which? by cayenne8 · 2017-11-14 09:38 · Score: 1
  
  I thought the tests were supposed to be conducted by Who?
  But...Where?
  
  --
  Light travels faster than sound. This is why some people appear bright until you hear them speak.........
3. Re:Tests carried out by Which? by magarity · 2017-11-14 09:45 · Score: 1
  
  That Which? carried out the tests are those Who were ill advised on a search friendly name.
4. Re:Tests carried out by Which? by GrumpySteen · 2017-11-14 10:17 · Score: 1
  
  Has anyone really been far as decided to use even go want to do test more like?
5. Re:Tests carried out by Which? by Megane · 2017-11-15 02:00 · Score: 1
  
  No, Who?'s on first base. Where? is the stadium.
  
  --
  #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Shocked! by AlanBDee · 2017-11-14 09:31 · Score: 0

I'm shocked I tell you, shocked.
1. Re:Shocked! by 93+Escort+Wagon · 2017-11-14 09:58 · Score: 1
  
  Well, not that shocked.
  
  --
  #DeleteChrome
Nintendo DS by darkain · 2017-11-14 09:49 · Score: 1

The same scare tactics appeared when the Nintendo DS with Pictochat was released. "stalkers" could chat with your child! But what is the wireless range of the devices? 30ft or so? So basically already within visual and verbal range to begin with. But now its exactly the same thing "BUT WITH A COMPUTER" (wait, isn't this the new Slashdot meme for patents, to just take normal every day activities and items, slap "with a computer" on it, and patent it all over again..?)
1. Re:Nintendo DS by Anonymous Coward · 2017-11-14 10:17 · Score: 0
  
  Parents give their kids internet-connected tablets and leave them alone, what do child safety advocates have to say about that?
2. Re:Nintendo DS by tlhIngan · 2017-11-14 11:16 · Score: 3, Interesting
  
  The same scare tactics appeared when the Nintendo DS with Pictochat was released. "stalkers" could chat with your child! But what is the wireless range of the devices? 30ft or so? So basically already within visual and verbal range to begin with. But now its exactly the same thing "BUT WITH A COMPUTER" (wait, isn't this the new Slashdot meme for patents, to just take normal every day activities and items, slap "with a computer" on it, and patent it all over again..?)
  Except two things.
  1) Pictochat only works if you're in the application. Once you exit, you can no longer send nor receive. And on the NIntendo DS, that's trivially easy to do by doing something else on the DS.
  2) Bluetooth has a range of 30' to 100'.
  If these toys are disregarding basic Bluetooth security, then it's possible for someone to simply establish a Bluetooth connection and potentially listen in, too. Being able to connect to one of these devices and use it as a spy gadget is useful
  At least Pictochat is controllable - it only works when it's running. But these toys, if you can commandeer them to listen in 24/7 are far more dangerous
3. Re:Nintendo DS by sjames · 2017-11-14 15:11 · Score: 3
  
  Also, the child would have to be old enough to read and write to communicate in pictochat. Not ideal for dealing with strangers, but the toys in TFA could reach younger children who might not properly understand that the voice isn't their toy come to life.
4. Re:Nintendo DS by Anonymous Coward · 2017-11-14 19:41 · Score: 0
  
  Maybe that whataboutism isn't an actual argument against the negligence of the companies that build and sell these toys with such obvious security flaws?
You don't say... by Opportunist · 2017-11-14 09:52 · Score: 2

What you are dealing with in the "smart devices" world today is what you saw in the computer world about 20 years ago when this "networking" thing was new for developers. They were used to creating software for standalone machines, suddenly they had to deal with the fact that there was a two-way data street connected to their machines. Looking back, we can only shake our heads at the naivete and utter ignorance. Even the last junior developer today will tell you it is a BAD, BAD, BAAAAAD idea to let anything in a browser run out of a sandbox on a user's PC. Still, 20 years ago large corporations thought this is a really smart idea, hey, we're extending the computer by content from the internet! What could possibly go wrong?
They, like us those 20-25 years ago, see a lot of potential and incredible opportunities, while not even knowing how it could possibly be a security concern. Yes, we look at them with contempt and sneer at their ignorance, but understand that these people CANNOT know what kind of security holes they're ripping into our homes.
That doesn't mean that it should be excused or that they deserve sympathy. It only means that we shouldn't buy their junk for the same reason we don't buy cars from someone who has so far only built shopping carts.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:You don't say... by Immerman · 2017-11-14 16:11 · Score: 2
  
  > these people CANNOT know what kind of security holes they're ripping into our homes.
  Sure they can - they can do their due diligence and hire someone that knows what the %$@! they're doing. And then *listen* to them. This isn't the 80s anymore - the problems are mostly well understood by, not only experts, but anyone even moderately competent in network security. If you're making an internet-connected device without getting a competent network security person to sign off on it, you should be held just as liable for the failures as a car maker that never bothered to do any crash testing.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
2. Re:You don't say... by Opportunist · 2017-11-14 21:12 · Score: 2
  
  So how many people do you know that have a background in IT security AND embedded design? I know one. And I already have a job I'm not about to leave the job I already have.
  Embedded development is a totally different beast than "normal" networking stuff. You cannot just take what you learned in your 20 years of writing network applications and transfer it. Twice so when you're dealing with the various legal and technical restrictions in the car industry on top of the other headaches. This isn't as trivial as you make it out to be.
  That's not to absolve them from their "sins". Far from it. It should rather convince them not to commit them.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3. Re:You don't say... by Immerman · 2017-11-15 12:23 · Score: 1
  
  They've already got the embedded developers - they're making products. All they need is the network security expert to review what they're doing, early and often.
  Also, having not done networked embedded development, can you enlighten me on what's so different? Obviously you generally have fewer resources to waste on layers of APIs, but the basic protocols are all the same, as well as the fact that you can't trust *anything* coming in from elsewhere to "obey the rules" until you've personally scrubbed it for compliance.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
4. Re:You don't say... by Opportunist · 2017-11-15 21:09 · Score: 1
  
  It starts way lower usually. With any hint of bad luck, you not only have to review the SSL implementation, you have to review the IP stack implementation. Many off-the-shelf solutions don't apply due to timing or resources limitations. You can for example usually not simply take any USB implementation because the hardware you have available cannot handle USB 2.0 timing constraints. You cannot waste a few MB of ram on a sensible IP stack implementation because that's literally all available ram you have. Buffer over- and underruns as well as out-of-memory conditions that never happen in a remotely sensible setup suddenly become realities because you DO run out of resources. And a lot of easy fixes are simply not available because they require, you guessed it, throwing more resources against the problem.
  Something as simple as key sizes suddenly becomes an issue because for the hardware you have available it makes a huge difference if your key is suddenly twice the size, something you don't even notice in normal computing.
  And as soon as you as much as touch real time issues as you often do in a car environment, you're really in for a world of hurt and headache.
  All this requires that the security guy you hire at least knows of those problems, even if he never had to deal with them himself, or else you get a security report you simply cannot heed due to the limitations you're dealing with. It would be like the mouse asking the owl how to escape the cat and getting the answer "spread your wings and fly away, duh".
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
5. Re:You don't say... by Immerman · 2017-11-16 04:45 · Score: 1
  
  >you get a security report you simply cannot heed due to the limitations you're dealing with
  Keeping in mind of course that those limits are almost completely arbitrary - after all today you can get the equivalent of a low-end desktop PC with a few hundred megs of RAM for $5. Retail. Yeah, it raises the cost of the vehicle slightly to use them, but so do seatbelts, safety-glass windows, engineered crumple-zones,etc,etc,etc.
  Unless available power is at a premium, you can always upgrade your hardware. Possibly it's a legitimate (small) issue for toys, but I'd bet good money you could triple the available resources for a small reduction in battery life.
  Meanwhile - throwing resources at buffer overrun/underrun issues doesn't solve them, it only hides them. In fact that's one of the things you're specifically NOT supposed to do for security - you *want* those overruns to occur under (ab)normal circumstances, to expose the fact that your code allows them to happen, because a malicious attacker doesn't much care whether it takes 100 bytes or 10 million to trigger the overrun - if the exploit is possible they're going to use it.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
6. Re:You don't say... by Opportunist · 2017-11-17 01:32 · Score: 1
  
  And that hardware you want to use is certified for the purpose you plan to use it in? Because if not and ANYTHING happens (whether related to the hardware you use or not), be prepared for a lengthy and costly legal battle that you most likely will lose.
  Get it certified? Not really cheaper.
  You'd be surprised just how little choice you actually have sometimes.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
7. Re:You don't say... by Immerman · 2017-11-17 03:25 · Score: 1
  
  That may be applicable to cars - I doubt anyone has ever certified anything related to a web-cam enabled teddy bear.
  Even in cars though - if you substantially change the scenario, the certification should be the *first* thing to be updated. The instant you plan to provide any remote-accessible communications channel to the inner workings of a car, suitable security should become part of the certification requirements.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
Who knew? by Anonymous Coward · 2017-11-14 09:58 · Score: 0

That a bluetooth butt plug could be such fun and such a danger at the same time?
Not really surprising by Anonymous Coward · 2017-11-14 10:30 · Score: 0

Just like this comment.
Developers, developers, developers... by mejustme · 2017-11-14 12:49 · Score: 4, Insightful

You get what you pay for. And I'm talking about the software developers here, not commenting on the toys. Company X hires junior developers, or can only retain developers working for minimal pay.
Guess what the quality of their work is going to be? Guess what the company's QA department looks like?
No surprise. Race to the bottom!
SOS Different story by Anonymous Coward · 2017-11-14 14:09 · Score: 0

Profit first, settle lawsuits later.
False Statement by Anonymous Coward · 2017-11-14 15:01 · Score: 0

Pretending these are flaws, defects, that's misleading.
These "flaws" as the investigation calls them are purposefully designed into the items, from the very beginning. To everyone involved in these toys creation save the customers themselves, these are very much deliberate features.
Bluetooth classes by DrYak · 2017-11-14 21:35 · Score: 4, Informative

But what is the wireless range of the devices? 30ft or so?
Bluetooth devices are sorted into classes depending on radio power and thus range.
Your random USB bluetooth dongle is usually a Class 2 device with a range of ~10m (about 30ft)
There are USB dongle that are Class 1 devices with a rande of ~100m (about 300ft).
Also keep in mind that most walls (except steel reinforced concrete) are transparent to the frequency range used by Bluetooth/Wifi/ Wireless-USB/etc.
So by using off-the-shelf parts, an attacker could hack the toys from the street in front of the house.
And that's just the off-the-shelf dongle. The you can basically watch any computer security conference and see people boosting range of various wireless gizmos (RFID/NFC dongles, etc.) to crazy distance.
Cue in demos of mass-hacking use a pringles can-tenna.
(an attacker could scan the whole street using a simple modified bluetooth setup).
A Burglar want to see which houses on a street are potentially empty ? Just mass-scan all the unsecured IoT thingy (Bluetooth enabled toys, Wifi enabled surveillance, etc.) and see which of those only register silence or no visual motion.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Bluetooth Security by Anonymous Coward · 2017-11-15 05:36 · Score: 0

With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access.
Define "gain access", because I thought that was a feature of Bluetooth? You don't need any sort of password to "gain access" (aka, pair the device), but once paired it is a secure, encrypted connection that cannot be eavesdropped on?

Do I just majorly misunderstand Bluetooth?