research-article

Public Access

Security & Privacy in Smart Toys

Authors:

Alvaro A. CardenasAuthors Info & Claims

IoTS&P '17: Proceedings of the 2017 Workshop on Internet of Things Security and Privacy

Pages 19 - 24

https://doi.org/10.1145/3139937.3139947

Published: 03 November 2017 Publication History

Abstract

We analyze the security practices of three smart toys that communicate with children through voice commands. We show the general communication architecture, and some general security and privacy practices by each of the devices. Then we focus on the analysis of one particular toy, and show how attackers can decrypt communications to and from a target device, and perhaps more worryingly, the attackers can also inject audio into the toy so the children listens to any arbitrary audio file the attacker sends to the toy. This last attack raises new safety concerns that manufacturers of smart toys should prevent.

References

[1]

[n. d.]. Electric Imp - Connect your products quickly and securely. https://electricimp.com/. ([n. d.]).

[2]

[n. d.]. Electric Imp - Effective Internet-agent-device Communication. https://electricimp.com/docs/resources/interactive/. ([n. d.]).

[3]

[n. d.]. Electric Imp BlinkUp. https://electricimp.com/platform/blinkup/. ([n. d.]).

[4]

[n. d.]. Extra protection for agents that host APIs. https://electricimp.com/docs/resources/agentsecurity/. ([n. d.]).

[5]

[n. d.]. Meet Hello Barbie. http://hellobarbiefaq.mattel.com. ([n. d.]).

[6]

[n. d.]. Network Requirements for imp-enabled Devices. https://electricimp.com/docs/troubleshooting/networks. ([n. d.]).

[7]

[n. d.]. Toymail - Stay in touch with your kids! https://toymail.co/. ([n. d.]).

[8]

[n. d.]. Turtle Mail. https://aedreams.com/shop/. ([n. d.]).

[9]

2017. Boy, 11, hacks cyber-security audience to give lesson on 'weaponisation' of toys. https://www.theguardian.com/world/2017/may/17/boy-11-hacks-cybersecurity-audience-to-give-lesson-on-weaponisation-of-toys. (May 2017).

[10]

2017. CC3200 SDK Sample Applications. http://processors.wiki.ti.com/index.php/CC3200SDKSampleApplications. (May 2017).

[11]

2017. From Barbies to bears, interactive 'smart toys' could be a hacker's plaything. https://au.news.yahoo.com/a/36421102/from-barbies-to-bears-interactive-toys-could-be-target-for-hacke/. (July 2017).

[12]

Michael Bahar. 2017. The FTC is watching when your children's toys are listening. http://thehill.com/blogs/pundits-blog/technology/344554-the-ftc-is-watching-when-your-childrens-toys-are-listening. (Aug. 2017).

[13]

Mark Baugher, D. McGrew, M. Naslund, E. Carrara, and Karl Norrman. 2004. The secure real-time transport protocol (SRTP). Technical Report.

[14]

Thomas Claburn. December 8, 2016. Playtime's over: Internet-connected kids toys 'fail miserably' at privacy. http://www.theregister.co.uk/AMP/2016/12/08/connectedtoysf ailmiserablyatprivacy/. (December 8, 2016). Accessed: Jan 2017.

[15]

CogniToys. [n. d.]. Meet the CogniToys Dino. https://cognitoys.com/. ([n. d.]).

[16]

Luke Cooper. 2017. Millions Of Private Messages Between Parents And Kids Hacked In Cloud Pets Security Breach. https://www.huffingtonpost.com.au/2017/02/28/millions-of-private-messages-between-parents-and-kids-hacked-in. (Feb. 2017).

[17]

Samuel Gibbs. 2015. Privacy fears over 'smart' Barbie that can listen to your kids. https://www.theguardian.com/technology/2015/mar/13/smart-barbie-that-can-listen-to-your-kids-privacy-fears-mattel. (2015).

[18]

Dan Goodin. 2015. Internet-connected Hello Barbie doll gets bitten by nasty POODLE crypto bug. https://arstechnica.com/information-technology/2015/12/internet-connected-hello-barbie-doll-gets-bitten-by-nasty-poodle-crypto-bug/. (Dec. 2015).

[19]

Laura Hautala. 2017. Smart toy flaws make hacking kids' info child's play. https://www.cnet.com/news/cloudpets-iot-smart-toy-flaws-hacking-kids-info-children-cybersecurity/. (Feb. 2017).

[20]

Patrick C. K. Hung, Marcelo Fantinato, and Laura Rafferty. 2016. A Study of Privacy Requirements for Smart toys. In PACIS. 71.

[21]

Emily McReynolds, Sarah Hubbard, Timothy Lau, Aditya Saraf, Maya Cakmak, and Franziska Roesner. 2017. Toys That Listen: A Study of Parents, Children, and Internet-Connected Toys. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (CHI '17). ACM, New York, NY, USA, 5197--5207.

Digital Library

[22]

Kevin Meurer, et al. 2016. Can (and Should) Hello Barbie Keep a Secret? (2016).

[23]

Tim Moynihan. 2015. This Toy Dinosaur Uses IBM's Watson as a Brain. https:// www.wired.com/2015/08/toy-dinosaur-uses-ibms-watson-brain/. (Aug. 2015).

[24]

Mike Murphy. 2017. Don't buy your kids Internet-connected toys. https://qz.com/920482/dont-buy-your-kids-internet-connected-toys/. (Feb. 2017).

[25]

Jared Newman. 2015. Internet-connected Hello Barbie doll can be hacked. http://www.pcworld.com/article/3012220/security/internet-connected-hello-barbie-doll-can-be-hacked.html. (Dec. 2015).

[26]

Kari Paul. 2017. Read this before buying a Wi-Fi-connected toy for your child. http://www.marketwatch.com/story/dont-buy-a-wi-fi-connected-toy-for-your-child-without-reading-this-2017-07-20. (July 2017).

[27]

Gil Reiter. 2014. A primer to Wi-Fi® provisioning for IoT applications. In Texas Instruments White Paper.

[28]

April Glaser. Slate. 2017. The FBI Is Warning Parents About the Risks of Internet-Connected Toys Spying on Kids. (July 2017).

[29]

Emmeline Taylor and Katina Michael. 2016. Smart Toys that are the Stuff of Nightmares. IEEE Technology and Society Magazine 35, 1 (2016), 8--10.

[30]

Texas Instruments. [n. d.]. Overview for SimpleLink CC3x family of wireless MCUs. https://www.ti.com/lsds/ti/microcontrollers16-bit32-bit/wirelessmcus/simplelinkcc3x/overview.page. ([n. d.]).

[31]

Shaun Waterman. 2017. FTC pushed from Hill on hacking of smart toys, kids' privacy. https://www.cyberscoop.com/ftc-pushed-hill-hacking-smart-toys-kids-privacy/. (May 2017).

[32]

Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang, Taimin Zhang, and Wenyuan Xu. 2017. DolphinAttack: Inaudible Voice Commands. In Proceedings of ACM Conference on Computer and Communications Security (CCS'17)

Digital Library

Cited By

Schmidt LHosseini HHupperich T(2023)Assessing the Security and Privacy of Baby Monitor AppsJournal of Cybersecurity and Privacy10.3390/jcp30300163:3(303-326)Online publication date: 29-Jun-2023
https://doi.org/10.3390/jcp3030016
Yang PFan JWei ZLi HLe TTian Y(2023)Towards Usable Parental Control for Voice AssistantsProceedings of Cyber-Physical Systems and Internet of Things Week 202310.1145/3576914.3587491(43-48)Online publication date: 9-May-2023
https://dl.acm.org/doi/10.1145/3576914.3587491
Cosache GSalgado FJain RRotariu CSterpu GCorcoran P(2023)Data Center Audio/Video Intelligence on Device (DAVID) - An Edge-AI Platform for Smart-Toys2023 International Conference on Speech Technology and Human-Computer Dialogue (SpeD)10.1109/SpeD59241.2023.10314915(66-71)Online publication date: 25-Oct-2023
https://doi.org/10.1109/SpeD59241.2023.10314915
Show More Cited By

Index Terms

Security & Privacy in Smart Toys
1. Networks
  1. Network properties
    1. Network security
2. Security and privacy

Recommendations

How smart are the smart toys?: children and parents' agent interaction and intelligence attribution
IDC '18: Proceedings of the 17th ACM Conference on Interaction Design and Children

Intelligent toys and smart devices are becoming ubiquitous in children's homes. As such, it is imperative to understand how these computational objects impact children's development. Children's attribution of intelligence relates to how they perceive ...
Smart toys and children's privacy: usable privacy policy insights from a card sorting experiment
SIGDOC '19: Proceedings of the 37th ACM International Conference on the Design of Communication

Smart toys are new to the Internet of Things market, and its connectivity to the cloud have raised concerns about children's privacy. Parents and legal guardians have striven to protect the privacy of their owns. However, current approaches for privacy ...
Privacy in smart toys: Risks and proposed solutions
Highlights
- The technology used in smart toys increases the risks to children’s privacy.
- We ...
Abstract
Smart toys have become popular as technological solutions offer a better experience for children. However, the technology employed greatly increases the risks to children’s privacy, which does not seem to have become a real concern for ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IoTS&P '17: Proceedings of the 2017 Workshop on Internet of Things Security and Privacy

November 2017

90 pages

ISBN:9781450353960

DOI:10.1145/3139937

General Chairs:
Peng Liu
Penn State University, USA
,
Yuqing Zhang
University of Chinese Academy of Sciences, China
,
Program Chairs:
Theophilus Benson
Brown University, USA
,
Srikanth Sundaresan
Princeton University, USA

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

NSF

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

November 3, 2017

Texas, Dallas, USA

Acceptance Rates

IoTS&P '17 Paper Acceptance Rate 12 of 30 submissions, 40%;

Overall Acceptance Rate 12 of 30 submissions, 40%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

36
Total Citations
View Citations
1,472
Total Downloads

Downloads (Last 12 months)168
Downloads (Last 6 weeks)28

Reflects downloads up to 29 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Schmidt LHosseini HHupperich T(2023)Assessing the Security and Privacy of Baby Monitor AppsJournal of Cybersecurity and Privacy10.3390/jcp30300163:3(303-326)Online publication date: 29-Jun-2023
https://doi.org/10.3390/jcp3030016
Yang PFan JWei ZLi HLe TTian Y(2023)Towards Usable Parental Control for Voice AssistantsProceedings of Cyber-Physical Systems and Internet of Things Week 202310.1145/3576914.3587491(43-48)Online publication date: 9-May-2023
https://dl.acm.org/doi/10.1145/3576914.3587491
Cosache GSalgado FJain RRotariu CSterpu GCorcoran P(2023)Data Center Audio/Video Intelligence on Device (DAVID) - An Edge-AI Platform for Smart-Toys2023 International Conference on Speech Technology and Human-Computer Dialogue (SpeD)10.1109/SpeD59241.2023.10314915(66-71)Online publication date: 25-Oct-2023
https://doi.org/10.1109/SpeD59241.2023.10314915
Shah HSahoo J(2023)Retracted: Using a Multifaceted, Network-Informed Methodology to Assess Data Sensitivity from Consumers IoT Gadgets2023 International Conference on Artificial Intelligence and Smart Communication (AISC)10.1109/AISC56616.2023.10085075(1303-1309)Online publication date: 27-Jan-2023
https://doi.org/10.1109/AISC56616.2023.10085075
Solera-Cotanilla SVega-Barbas MPérez JLópez GMatanza JÁlvarez-Campana M(2022)Security and Privacy Analysis of Youth-Oriented Connected DevicesSensors10.3390/s2211396722:11(3967)Online publication date: 24-May-2022
https://doi.org/10.3390/s22113967
Le THuang DApthorpe NTian Y(2022)SkillBot: Identifying Risky Content for Children in Alexa SkillsACM Transactions on Internet Technology10.1145/353960922:3(1-31)Online publication date: 25-Jul-2022
https://dl.acm.org/doi/10.1145/3539609
Druga SChristoph FKo A(2022)Family as a Third Space for AI Literacies: How do children and parents learn about AI together?Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems10.1145/3491102.3502031(1-17)Online publication date: 29-Apr-2022
https://dl.acm.org/doi/10.1145/3491102.3502031
Alanazi MAborokbah M(2022)Multifactor Authentication Approach on Internet of Things: Children's Toys2022 2nd International Conference on Computing and Information Technology (ICCIT)10.1109/ICCIT52419.2022.9711596(6-9)Online publication date: 25-Jan-2022
https://doi.org/10.1109/ICCIT52419.2022.9711596
Ling LYelland NHatzigianni MDickson-Deane C(2021)Toward a conceptualization of the internet of toysAustralasian Journal of Early Childhood10.1177/1836939121100732746:3(249-262)Online publication date: 28-Apr-2021
https://doi.org/10.1177/18369391211007327
McParlan Jvan der Linden D(2021)Privacy labels should go to the dogsProceedings of the Eight International Conference on Animal-Computer Interaction10.1145/3493842.3493888(1-10)Online publication date: 8-Nov-2021
https://dl.acm.org/doi/10.1145/3493842.3493888
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten