Why 'Smart' Devices May Not Be SecureWithout Proof, Always Assume Privacy and Security Are Broken
See Also: Stopping BEC and EAC
Have our collective information security shortcomings ever been more seasonally appropriate - or scarier?
"Crypto is hard. Assume products are broken until proven otherwise."
One of the toymakers in question is Hong Kong-based VTech, which bills itself as "The global No. 1 player for electronic learning products." It recently suffered a data breach that exposed profiles for 6.4 million children and 4.9 million adults, which has triggered at least two class action lawsuits, plus investigations by two U.S. states' attorneys general (see Why VTech Breach is So Bad - and So Avoidable ).
After the breach, security researchers began taking a close look at VTech's toys. They found security shortcomings with potential privacy implications. "We found two easy ways to pull the data from their kids' Innotab tablet," Ken Munro, a partner at penetration testing firm Pen Test Partners, says in a blog post. "In the case of a lost, stolen or resold tablet, any and all data that the child or adult has put on there is exposed. Passwords, PINs, email addresses, app data, you name it."
Et Tu, Barbie?
The other toymaker in question is El Segundo, Calif.-based Mattel, which manufacturers a Wi-Fi-connected "Hello Barbie" (see Who Hacked Barbie?). Children can press the doll's stomach to record audio, which then gets uploaded to cloud infrastructure run by a company called ToyTalk for analysis, thus allowing the doll to respond to what children say using one of thousands of prerecorded responses. Parents need to first accept the doll's terms of service and enable the feature via a mobile app, which was also developed by ToyTalk.
But a Dec. 4 "Hello Barbie App, Hello Security Issues" report from mobile app security firm Bluebox Labs and independent information security researcher Andrew Hay warned that they found vulnerabilities in the ToyTalk apps and cloud infrastructure. They claim the apps, for example, could be hacked to steal Wi-Fi passwords, and the servers were susceptible to the encryption-downgrade attack known as POODLE, which attackers could potentially exploit to eavesdrop on conversations uploaded to the cloud by the doll.
Mattel didn't respond to a related request for comment. But a ToyTalk spokesman tells me that the company has been working with Bluebox and that all of the security vulnerabilities have been resolved. He also claims that while there were POODLE flaws in some of its apps, they weren't present in the Hello Barbie app. And he says the company has taken steps to better secure the private key and certificate stored in the Hello Barbie app, so that even if a hacker managed to steal those credentials, they could not gain access to Wi-Fi passwords, child audio data or alter what the doll says. In addition, he says the short window for any attempted certificate theft exists only "during the few minutes that a user takes to connect the doll to their Wi-Fi network."
Watch Out for 'Smart' Toys
These security problems have prompted some big-picture warnings. "Do you really want a 'smart' toy for Christmas?" asks University of Surrey computer science professor Alan Woodward via Twitter. "Just 'cos you can doesn't mean you should."
And just because something is marketed as being "smart" doesn't make it so. "I'm really having a difficult time imagining a connected toy that's anything more than a distraction," Sean Sullivan, a security adviser at Finnish security firm F-Secure tells me. "I limit my own screen time during the hours my son is awake, which means I have to talk a lot as a result, and it's tiring, but from what I've read, it's that sort of interaction that truly builds a child's vocabulary."
Sullivan also questions the efficacy of so-called e-learning toys. "The amount of words a child knows when starting school is a good predictor for success. I'm not willing to outsource that job to tech."
Beyond the developmental questions involved, smart toys raise information security and privacy questions as well. Maybe one day there will be government agencies that certify whether a device passes rigorous information security tests. For now, however, assume every type of device is insecure, unless the opposite is proven true, suggests Chris Wysopoal, chief technology officer at application security firm Veracode.
Really Barbie? Poodle? Crypto is hard. Assume products are broken until proven otherwise. https://t.co/5fK32wbIiOï¿½ Chris Wysopal (@WeldPond) December 7, 2015