Toys that spy
Fairfax’s Peter Munro looks at children’s toys that have the potential to spy on the unsuspecting child.
“It is a little freaky having a doll talking to you,” says Kate Highfield. She’s been chatting with Hello Barbie, a Wi-Fi-enabled plaything who promises to be “just like a real friend” – but for being plastic and having no hips.
The interactive toy uses voice-recognition software to “listen” to people speak and give personalised responses, by sending their audio recordings over the web to be analysed and processed. She’s part of a growing wave of high-tech internet-connected toys that spy on what children say and do – sparking privacy fears ahead of Christmas.
Cybersecurity experts this month uncovered major flaws in the systems behind Hello Barbie, which could have helped hackers eavesdrop on children’s playtime. Separately, a major security breach involving a toy tablet computer recently exposed the personal details of more than six million children, including their photographs and voice recordings.
Cyber experts have uncovered major security flaws in the systems behind Hello Barbie.
The hack of digital toymaker VTech’s Kid Connect service, which allows adults to use smartphones to chat with children using the tablet, also linked the database back to parents, making it possible to expose a child’s full name and home address.
Any so-called “connected toy” – including smartphone-controlled drones and tanks, or bluetooth-enabled Lego – is potentially vulnerable to security breaches, says computer security researcher Troy Hunt.
“They’re collecting personal data about your children and you have to assume that at some point they will screw up and lose your data,” he says. “Parents sitting in their kid’s bedroom lose track of the fact that their details are going back to a server somewhere.
Children’s photos and audio recordings were released after a hack of VTech’s online accounts.
“If you steal little Johnny’s iPad it is not likely to have his bank details on it. But toys have risks and vulnerabilities we would never expect in their adult counterparts.”
IBISWorld says demand for traditional toys and games has declined against strong competition from electronic toys, along with children’s apps and web-enabled gadgets.
In February, hackers reprogrammed the internet-connected doll My Friend Cayla to spout quotes from fictional serial killer Hannibal Lecter and the book 50 Shades of Grey.
Hello Barbie’s potential security flaws included the use of hardcoded passwords, which hackers might exploit to steal audio recordings that passed between the doll and its computer servers.
“The fact that she’s web-enabled means she is amazingly clever and terribly scary,” says Dr Highfield, from the Institute of Early Childhood at Macquarie University. During a demonstration of the toy in the United States last month, Hello Barbie asked Dr Highfield her favourite colour (blue) and who lived in her house.
“The conversation was quite inane but there’s the potential for concerning things to be transmitted online – your address, your personal details, your children’s personal details, who their friends are,” she says.
A spokeswoman for toymaker Mattel recently said it was working “to ensure the safety and security of Hello Barbie”.
But cybersecurity specialist Ty Miller, of Threat Intelligence, says there will “almost certainly” be more security breaches of internet-connected toys. “Toymakers are wanting to bring out the latest and greatest toys that are interconnected and cloud-integrated but a lot of the time they are just not secured,” he says.
“They’re collecting too much sensitive data about your child, which could be anything from their name and address, through to potentially their GPS coordinates. How is that going to impact the safety of your child if that data gets breached?”