Police fears over online toys and devices

Safety concerns over smart home appliances and toys have prompted police in the UK and US to call for controls on Internet of Things devices.

The elephant in the room - the threat from online toys

The elephant in the room – the threat from online toys

The police warnings follow many recent incidents that have seen hackers and security companies exploiting weaknesses in IoT appliances that can lead to unwelcome access to homes, children and personal data.

In the latest intervention, the Chief Constable of Durham, Mike Barton has publicly called for a security rating system on smart home devices that lets someone buying a smart appliance instantly see how safe it is when connected to their home network.

The warning from the Durham Chief Constable follows an earlier alert from the FBI that many children’s toys that connect to the internet give undesirable access to your family and, more worryingly give strangers direct access to your child.

One example is Cloud Pet, a range of soft toys which would not look out of place in any toy shop and comes in forms ranging from the standard teddy bear to elephants and unicorns. It is aimed at the modern working family and is a way for parents who are working away from home to keep in touch with their child.


The absent parent can record a message on their phone or tablet and send it using an app. A notification and the message are sent to their partner’s device for approval and then at a click of a button the message is sent via blue tooth to the toy so the child can hear their absent parents voice. The child can reply via the same route by pushing a button hidden in the toys paw.

But in February, a security blunder was discovered by the Australian cyber security researcher Troy Hunt, and flagged up on his website ‘Have I been Pwned’. Hunt found a database from Spiral Toys, a toy manufacturer that produces a range of online toys called ‘Cloud Pets’ had been left online with no password protection.

On his website, Hunt laid out the scale of the flaw with 2.2 m recordings of children and their parents being available along with 800,000 email addresses and passwords.

“Unfortunately, this one was ridiculously easy. The company that runs the service left their database public on the internet without a password and people found it. It was that simple,” said Hunt.

“I think the thing that we are all most concerned about is these toys recorded kids’ voices. This is the entire design of it. You leave a message for your father as a child or your mother and the relative then leaves a message for you on their phone and sends it back to the kids. So who is listening to it? That scares all of us with kids, I think.”

Hunt, who started his website to raise awareness of cyber threats added that on at least three occasions these files, a lot of them recordings of children linked to sensitive account information, were copied and deleted with a ransom notes left in their place to buy back the information.

Further to this, a month later a vulnerability was found in the Cloud Pets Bluetooth Web API. With some know how, an individual can setup a webpage and use it to connect directly to the Cloud Pet with no further authorisation needed and gain control of its functions.

In a worst-case scenario, this means that an individual can constantly listen in on the child and talk to them directly when they are within range of the toy. Theoretically this means they only need to be outside a family’s house, or parked in a car next to a playground.

In January 2015, a doll called Cayla with much of the same functionality was shown to have similar problems, and once hacked could be made to say whatever was wished by researchers working for the UK security company PenTest Partners.

According to cyber experts the incidents are part of a growing issue with IoT devices across the board including not only toys but also systems used in the Critical National Infrastructure caused by manufacturers cutting corners in search of profits and not producing systems that have sufficient computing and storage space to run effective computer security programs.

Speaking about the IoT devices that control crucial parts of the infrastructure we all rely on Joe Weiss, an acknowledged CNI expert said: ‘the old sensors were security agnostic, basically dumb and people added some remote access. The new sensors, are online from day one, they were designed that way. The new stuff is worse than the old. We’re another generation from actually having secure stuff come out.

“The new stuff has not been designed with space enough to run security programs on. Not when you talk about sensors and actuators and drives.”

A problem that bedevils all IoT devices and one that is only likely to be corrected by legislation.

The Cloud Pets can still be bought from retail giants Amazon Online and Tesco Direct as well as on the high street from The Entertainer chain of toy stores, though recently at up to 80% off their initial price.




Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.