The FBI warns parents of privacy and safety risks from children’s toys connected to the internet.
In an advisory posted on its website, the Federal Bureau of Investigation said that such toys may contain parts or capabilities such as microphones, cameras, GPS, data storage and speech recognition that may disclose personal information.
Normal conversation with a toy or in the surrounding environment may disclose a child’s name, school, likes and dislikes and activities, the FBI said.
“I think this is the first time the FBI has issued such warning,” Tod Beardsley, director of research at cyber security firm Rapid7, said in a telephone interview.
“A lot of people tend to trust the FBI as a government organization, so it definitely raises awareness of the risk associated with internet-connected toys.”
Smart toys and entertainment devices are gaining popularity for incorporating technologies that learn and tailor their behaviors based on user interactions.
In February, Germany banned sales and ownership of a talking doll named Cayla made by U.S. company Genesis Toys, citing the risk of hacking associated with the toy. The country’s Federal Network Agency recommended that parents who had bought the doll for their children destroy it.
The Next Security Risk May Be Your Vibrator!
UNTIL HACKERS DISCOVERED the internet of things, a maker of kitchen appliances didn’t have to worry about the security of its toasters. Now, though, the proliferation of networked devices—from televisions to refrigerators to, someday, self-driving cars—has spawned a new form of cyber attack. This is not only because the points of vulnerability multiply as a network expands, but also because many of the consumer-product manufacturers who now produce networked devices have no experience with digital security. And few internet-of-things product categories better demonstrate the urgent need to improve security standards than connected sex toys.
In late 2016, a pair of hackers at DefCon, an annual US hacking conference, revealed that one company’s connected vibrator, the We-Vibe, not only tracked sensitive data related to customers’ usage, but also that third parties could access that information. Even more troublingly, hackers were able to take control of the devices remotely.
At RightsCon Brussels 2017, a security researcher showed how another connected vibrator, this one with a built-in camera, could be hacked to allow unauthorized access to the video feed. These breaches highlight just a few of the wide array of connected products with potential vulnerabilities.
Talk of sex toys may elicit snickers. In fact, one company famous for distributing so-called stalkerware—software that enables surveillance—went so far to focus on sex toys for an elaborate April Fools’ joke, advertising the sale of malware that allegedly could allow strangers to hack into and control a wide range of devices. The people at FlexiSpy seemed to find it funny that a product could “take remote charge of a sex toy’s power button, speed, and preference settings—even when in use.”
But it’s no laughing matter, and these examples raise serious questions: Where does liability reside in a completely connected world, and what are the policy and legal ramifications of such widespread vulnerability?
Remember the We-Vibe that was hacked at DefCon? Standard Innovation, the Canadian company that manufactured the device, eventually doled out settlements to its US customers as a result of a class-action lawsuit filed after the 2016 hacking demonstration. The litigation relied on the DefCon demonstration to prove that the company was collecting information like the temperatures of the devices, as well the intensity of vibration and frequency of use, without users’ consent.
While it was the data collection that led to the settlement, another part of the 2016 DefCon demonstration showed an even darker potential use of the device: Using Bluetooth to connect the We-Vibe to the We-Connect app would allow a user to permit another user to control the device’s settings remotely. This was advertised as a way for partners to “keep their flame ignited— together or apart.”
That connection, however, also could be hijacked by a stranger or even a stalker to assert control over the device. This is possible by exploiting the connection to the device and monitoring its data.
This article is sponsored by:
Show your customers that you care about their privacy! European Center for GDPR Certification is the “Consumer Trust Body” of the General Data Protection Regulation. Visit GDPRcertified.org to read about how to add “GDPR TRUST SEAL”™ to your website in order to gain more business and distance you from the not so serious businesses – It Pays Off!