Avoid buying any of these smart toys for your kids this Christmas

It seems that nowadays any object features Internet connection, and toys are no exception. Information security experts point out that multiple devices designed for children have an Internet connection or the ability to be controlled through an app, among other interactive features and, although this seems very attractive to the parents, sometimes using one of these toys could expose children to strangers anywhere on the Internet, so you need to know more about the safety of these devices.

Unfortunately, not all Internet-connected toys have proven to be secure, as they have deficiencies in their security measures or software vulnerabilities that, if exploited, would allow a threat actor to access the device with the purpose of contacting the user child. Below is a list of some of the most insecure smart toys, so it is recommended to avoid their purchase.

Karaoke machine

Two of these toys were analyzed: Singing Machine SMK250PP and the TENVA microphone, available on Amazon, both with Bluetooth connection. During the analysis experts discovered that none of these toys request authentication on the Bluetooth connection, so any threat actors within the connection range (about 10 meters) could try to send messages to the device, that messages could be heard by children.

As if that weren’t enough, information security experts claim that these devices are vulnerable to a variant of attack known as “second-order attack”, which involves the use of a karaoke machine to be able to try to control other devices voice-activated smarts, like a smart speaker.

Vtech KidiGear walkie-talkies

The manufacturer claims that these walkie-talkies are protected with encryption and, although the analysis revealed that this is true, it was also found that the pairing process between the two devices could be compromised by a threat actor. The analysis revealed that a threat actor only requires a couple of these walkie-talkies to match them to the target child’s walkie-talkies; this scenario is even more dangerous than the previous one, because unlike the Bluetooth connection, these devices have a range of up to 200 meters. Although this attack requires other variables to be presented, it still poses a risky scenario for children using these devices.

FFB15 Bloxels Build Your Own Videogame, manufactured by Mattel

The security risk in this toy is related to the Bloxels web portal, created by Pixel Press. Any user of this toy can create, upload and play a video game through a smartphone or tablet; however, the analysis showed that there is no restriction to load inappropriate material on the platform. Inappropriate content may be restricted or deleted, but a report must first be sent to Bloxel, which can take considerable time.

Sphero Mini interactive toy

This toy was designed to help children learn to code, but it has various safety flaws. First, its Bluetooth connection does not have authentication, although this could be the least of its problems. Like Bloxels, information security experts mention that any user could upload inappropriate content (mainly offensive language) to Sphero’s online platform.

Boxer interactive toy

This little robot requires the download of an app to work and, although it is not necessary to create an account to access the app, it is possible for parents to create an online account to monitor the use of the toy, that is where the danger lies, because these accounts are easy to hack, which would jeopardize the account owner’s personal data.

Information security specialists from the International Institute of Cyber Security (IICS) recommend checking the specifications of each smart toy before making a purchase, as security measures are highly likely to be you may want to think twice before bringing one of these devices home.

Originally published at https://www.securitynewspaper.com on December 10, 2019.

Knowledge belongs to the world