Slashdot Mirror

← Back to Stories (view on slashdot.org)

Investigation Finds Security Flaws In 'Connected' Toys (theguardian.com)

Posted by BeauHD on from the always-listening dept.

An anonymous reader quotes a report from The Guardian: A consumer group is urging major retailers to withdraw a number of "connected" or "intelligent" toys likely to be popular at Christmas, after finding security failures that it warns could put children's safety at risk. Tests carried out by Which? with the German consumer group Stiftung Warentest, and other security research experts, found flaws in Bluetooth and wifi-enabled toys that could enable a stranger to talk to a child. The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets. With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access. Little technical knowhow was needed to hack into the toys to start sharing messages with a child.

8 of 32 comments (clear)

  1. Re:IOT by Opportunist · · Score: 3, Funny

    Intelligent Devices, Internet Of Things.

    Made for their acronym.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. You don't say... by Opportunist · · Score: 2

    What you are dealing with in the "smart devices" world today is what you saw in the computer world about 20 years ago when this "networking" thing was new for developers. They were used to creating software for standalone machines, suddenly they had to deal with the fact that there was a two-way data street connected to their machines. Looking back, we can only shake our heads at the naivete and utter ignorance. Even the last junior developer today will tell you it is a BAD, BAD, BAAAAAD idea to let anything in a browser run out of a sandbox on a user's PC. Still, 20 years ago large corporations thought this is a really smart idea, hey, we're extending the computer by content from the internet! What could possibly go wrong?

    They, like us those 20-25 years ago, see a lot of potential and incredible opportunities, while not even knowing how it could possibly be a security concern. Yes, we look at them with contempt and sneer at their ignorance, but understand that these people CANNOT know what kind of security holes they're ripping into our homes.

    That doesn't mean that it should be excused or that they deserve sympathy. It only means that we shouldn't buy their junk for the same reason we don't buy cars from someone who has so far only built shopping carts.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:You don't say... by Immerman · · Score: 2

      > these people CANNOT know what kind of security holes they're ripping into our homes.

      Sure they can - they can do their due diligence and hire someone that knows what the %$@! they're doing. And then *listen* to them. This isn't the 80s anymore - the problems are mostly well understood by, not only experts, but anyone even moderately competent in network security. If you're making an internet-connected device without getting a competent network security person to sign off on it, you should be held just as liable for the failures as a car maker that never bothered to do any crash testing.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    2. Re:You don't say... by Opportunist · · Score: 2

      So how many people do you know that have a background in IT security AND embedded design? I know one. And I already have a job I'm not about to leave the job I already have.

      Embedded development is a totally different beast than "normal" networking stuff. You cannot just take what you learned in your 20 years of writing network applications and transfer it. Twice so when you're dealing with the various legal and technical restrictions in the car industry on top of the other headaches. This isn't as trivial as you make it out to be.

      That's not to absolve them from their "sins". Far from it. It should rather convince them not to commit them.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Re:Nintendo DS by tlhIngan · · Score: 3, Interesting

    The same scare tactics appeared when the Nintendo DS with Pictochat was released. "stalkers" could chat with your child! But what is the wireless range of the devices? 30ft or so? So basically already within visual and verbal range to begin with. But now its exactly the same thing "BUT WITH A COMPUTER" (wait, isn't this the new Slashdot meme for patents, to just take normal every day activities and items, slap "with a computer" on it, and patent it all over again..?)

    Except two things.

    1) Pictochat only works if you're in the application. Once you exit, you can no longer send nor receive. And on the NIntendo DS, that's trivially easy to do by doing something else on the DS.

    2) Bluetooth has a range of 30' to 100'.

    If these toys are disregarding basic Bluetooth security, then it's possible for someone to simply establish a Bluetooth connection and potentially listen in, too. Being able to connect to one of these devices and use it as a spy gadget is useful

    At least Pictochat is controllable - it only works when it's running. But these toys, if you can commandeer them to listen in 24/7 are far more dangerous

  4. Developers, developers, developers... by mejustme · · Score: 4, Insightful

    You get what you pay for. And I'm talking about the software developers here, not commenting on the toys. Company X hires junior developers, or can only retain developers working for minimal pay.

    Guess what the quality of their work is going to be? Guess what the company's QA department looks like?

    No surprise. Race to the bottom!

  5. Re:Nintendo DS by sjames · · Score: 3

    Also, the child would have to be old enough to read and write to communicate in pictochat. Not ideal for dealing with strangers, but the toys in TFA could reach younger children who might not properly understand that the voice isn't their toy come to life.

  6. Bluetooth classes by DrYak · · Score: 4, Informative

    But what is the wireless range of the devices? 30ft or so?

    Bluetooth devices are sorted into classes depending on radio power and thus range.
    Your random USB bluetooth dongle is usually a Class 2 device with a range of ~10m (about 30ft)
    There are USB dongle that are Class 1 devices with a rande of ~100m (about 300ft).

    Also keep in mind that most walls (except steel reinforced concrete) are transparent to the frequency range used by Bluetooth/Wifi/ Wireless-USB/etc.

    So by using off-the-shelf parts, an attacker could hack the toys from the street in front of the house.

    And that's just the off-the-shelf dongle. The you can basically watch any computer security conference and see people boosting range of various wireless gizmos (RFID/NFC dongles, etc.) to crazy distance.
    Cue in demos of mass-hacking use a pringles can-tenna.
    (an attacker could scan the whole street using a simple modified bluetooth setup).

    A Burglar want to see which houses on a street are potentially empty ? Just mass-scan all the unsecured IoT thingy (Bluetooth enabled toys, Wifi enabled surveillance, etc.) and see which of those only register silence or no visual motion.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]