Call to ban sale of IoT toys with proven security flaws

科技动态 2017-11-15

Ahead of 2017’s present buying season, UK consumer rights group Which? has warned parents about the risks of giving connected toys to their children, and called for devices with known security and/or privacy risks to be banned from sale on kids safety grounds.

Working with security researchers the group has spent the past 12 months investigating several popular Bluetooth or wi-fi toys that are on sale at major retailers, and says it found “concerning vulnerabilities” in several devices that could “enable anyone to effectively talk to a child through their toy”.

It’s published specific findings on four of the toys it looked at: Namely the Furby Connect; I-Que Intelligent Robot; Toy-fi Teddy; and CloudPets cuddly toy.

The latter toy drew major criticism from security experts in February when it was discovered that its maker had stored thousands of unencrypted voice recordings of kids and parents using the toy in a publicly accessible online database — with no authentication required to access the data. (Data was subsequently deleted and ransomed.)

Which? says in all cases it was found to be far too easy for someone to illicitly pair their own device to the toys and use the tech to talk to a child. It especially highlights Bluetooth connections not having been properly secured — noting for example there was no requirement for a user to enter a password, PIN code or any other authentication to gain access.

“That person would need hardly any technical know-how to ‘hack’ your child’s toy,” it writes. “Bluetooth has a range limit, usually 10 meters, so the immediate concern would be someone with malicious intentions nearby. However, there are methods for extending Bluetooth range, and it’s possible someone could set up a mobile system in a vehicle to trawl the streets hunting for unsecured toys.”

In the case of the Furby, Which?’s external security researchers also thought it would be possible for someone to re-engineer its firmware to turn the toy into a listening device due to a vulnerability they found in the toy’s design (which it’s not publicly disclosing).

Although they were not themselves able to do this during the time they had for the investigation.

Which? describes its findings as “the tip of a very worrying iceberg” — also flagging other concerns raised over kids’ IoT devices from several European regulatory bodies.

Last month, for example, the Norwegian Consumer Council warned over similar security and privacy concerns pertaining to kids’ smartwatches.

This summer the FBI also issued a consumer notice warning that IoT toys “could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed”.

“You wouldn’t let a young child play with a smartphone unsupervised and our investigation shows parents need to apply the same level of caution if considering giving a child a connected toy,” said Alex Neill, Which? MD of home products and services in a statement.

“While there is no denying the huge benefits these devices can bring to our daily lives, safety and security should be the absolute priority. If that can’t be guaranteed, then the products should not be sold.”


责编内容by:TechCrunch (源链)。感谢您的支持!


特斯联代表中国物联网首次入选Gartner重磅报告... 日前,全球最具权威的IT研究与顾问咨询公司Gartner(高德纳)《市场洞察:利用节能生态体系推动智慧建筑物联网解决方案的普及》报告(下称《智慧建筑物联网解决...
Samsung Galaxy Note 4 gets June security update Samsung has started pushing out a new update to itsGalaxy Note 4 smartphone. Ar...
Synaptics Discusses Fingerprint Security and the N... In a bid to demonstrate the advantages of its latest-generation SentryPoint f...
Android phones with missed security updates still ... Android phones lacking a fewsecurity updates are still more secure than yo...
共享单车新规出台,整治乱象还需借力物联网... 8月3日,交通运输部、中央宣传部、中央网信办等十部门联合印发了《关于鼓励和规范互联网租赁自行车发展的指导意见》,为难度日增的共享单车管理工作注入了一针强心剂。推...