The idea that a toy presents a real security threat first came to national attention back in 1998, when a small robot disguised as a fanciful animal was banned by the National Security Agency.
This critter was known as a Furby. The Furby appeared to learn English by listening to words spoken around it and using those words to begin speaking. The government was concerned that the Furby might hear classified information and then repeat it.
While there was some debate as to whether the Furby could actually record English words, it’s since been replaced by a series of smart toys that can most assuredly listen to the conversations around them and also watch the activity around them using cameras.
Those toys, many of which seem to be intelligent dolls or other companions, connect to the internet using WiFi or through a smartphone using Bluetooth. As long as those devices are connected to the internet, there’s no way to know what they’re recording or what information is being sent back to a server somewhere on the internet.
This possibility so alarmed the FBI that the agency issued an urgent announcement on July 17 describing the vulnerability and explaining steps to take to keep the devices from being too much of a threat.
The FBI is particularly concerned because young children will tell their toys all sorts of private information, thinking they’re speaking in confidence. Such supposedly private revelations could risk the child’s safety, not to mention the safety of the entire family.
But the risks from connected devices in the home go far beyond just intelligent companions. A new presentation set for the Black Hat USA conference on July 26 covers security vulnerabilities in Segway hoverboards, which can be taken over by hijacking their Bluetooth connection. Researchers were able to control the overboard remotely and even turn it off while someone was riding it. Additional exploits included the ability to load the hoverboard with malware.
Both of these warnings demonstrate the common threat affecting IoT devices used in the home and in enterprises as well. After all, the NSA wasn’t worried about the Furby being used in the home, but rather when employees started bringing them into the office. That common threat is the lack of security in consumer IoT in general.
The Segway hoverboard was shipped with no real security, for example, even though there was a Bluetooth PIN. That PIN turned out to be cosmetic and did not prevent access. Since then, Segway has apparently instituted encryption on those devices.
The lack of security on those internet connected toys is so pervasive that the FBI provided detailed advice for taking steps that might help with security, such as using strong passwords. The most important piece of advice from the FBI, however, is to make sure the devices are turned off when they’re not actually being used, and when they are being used, to keep an eye on what’s happening through the app associated with the device.
While the FBI focuses on the risks to privacy through internet connected toys, there are actually risks that go beyond that. Because of the lack of security on such devices, it would be relatively easy to load malware that could take over cameras and microphones on internet connected toys. Once infected by malware, the connected toy could then be used for surveillance of the home or office where the toy is being used.
The resulting risk to privacy was enough, according to a report in Reuters, to cause the German government to ban the sales and ownership of a talking doll named Cayla. There the government recommended destroying the internet connected doll immediately.
It would be bad enough if those were the only IoT threats out there on the Internet, but they’re only the latest. There’s a search engine that allows users to find and view any of millions of unsecured IoT-connected video cameras world-wide. Those same video cameras were the repositories for malware that was later used in a massive Distributed Denial of Service attack last year.
Unfortunately, there’s little or no indication that there’s any serious effort on the part of device makers to secure their products. That means that it will pay big dividends to read the FBI’s list of recommendations for dealing with internet connected toys and follow them. Just because the IoT device you’re concerned about isn’t marketed as a toy doesn’t matter.
Likewise, when you read the FBI’s recommendations, remember that you can replace the word “children” with the word “employee” and the advice is still relevant. If you find that the device you’re planning to use can’t work within the FBI’s recommendations, then don’t use it.
Examples of the failings you might encounter when implemented to devices would be the inability to connect with encrypted WiFi, the inability to receive firmware or software updates or the inability to authenticate communications.
Regardless of whether the device is marketed as a toy or, a TV camera or as an industrial process controller, the risks are serious and it’s critical to pay attention to security.