Smart toys and cyber risk have become a rising concern for many. Cyber risks associated with smart toys are making children vulnerable to dangers lurking around them. Consumer Watchdog, a nonprofit advocating for consumers' rights, has urged the toy industry to ensure security before selling the toys.
Researchers have performed tests and saw that most smart toys like Vtech's Kidigear Walkie Talkies have security issues. The "Which?" reported that IoT-connected hackers could penetrate smart toys. Strangers can easily communicate with kids playing with them, and exploit the children.
Vtech issued a public statement trying to dismiss the findings. The statement reads:
"Further to the recent 'Which?' findings, we would like to reassure consumers on the safety of the Vtech KidiGear Walkie Talkies. It uses industry-standard AES encryption to communicate. A single device cannot initiate the pairing of KidiGear Walkie Talkies. Both devices have to start pairing at the same time within a short 30-second window to connect."
Smart toy makers are trying to defend themselves on smart toys and cyber risk issues. However, we have seen the kind of threat IoT devices pose. Recalling back to October 2016, the whole world witnessed a hacker attacked Twitter, Spotify, and PayPal on the same day. Unfortunately, the list doesn't end here. Other prominent organizations like GitHub, Reddit, Netflix, and Airbnb were also the victims of the Mirai bot attack.
The hacker found a weak point in the security cameras and exploited it. The consequences were shocking. 300,000 IoT video recorders started to attack big social media platforms and were inaccessible for 2 hours. This incident proved that even big organizations couldn't protect themselves from IoT security issues.
What are some of the security risks and issues with IoT devices?
Lack of compliance in IoT manufacturing can make IoT devices susceptible to damaging Mirai malware's botnet attacks. There are many IoT security threats, but we've documented a few.
1) Industrial Spying:
Hackers don't infect IoT devices to spy on people. Instead, they do it to access private or sensitive data to harm the owner. Sometimes they do it to demand ransom.
It becomes a severe cyber threat because IoT devices access user information from health equipment, smart toys, wearable devices, etc. Moreover, hackers can access business data from IoT devices in the industries if you don't meet security compliances.
For instance, Germany has banned an IoT doll as a spying device because it had IoT security issues. Any stranger could use it and connect with the kid via the toy's microphone and speaker. The stranger would need to be within a 25-30 meter radius to perform this action.
2) Ignorance of IoT Manufacturers regarding smart toys and cyber risk:
There are no universal IoT security standards, so manufacturers don't have any obligation to create high IoT security devices. As a result, manufacturers sell IoT devices to customers with unresolved security risks.
For example, anybody can access a smart fingerprint padlock with a Bluetooth key. In this case, the Bluetooth key must have the same MAC address as the padlock device.
The security and privacy of the IoT device depend on the design. The same goes for smart toys as well. It is because the internet of things isn't an isolated system. Manufacturers need to ensure complete security from the front end to the system's back-end for IoT devices.
Manufacturers need to integrate end-to-end encryption in IoT. IoT end-to-end encryption will protect the user data from start to end. The traffic from the source to the destination will be fully encrypted and authenticated. So in case a hacker penetrates and captures the traffic, he won't be able to read the information. Currently, most manufacturers don't build IoT toys with end-to-end encryption. It is because manufacturers aren't worried about smart toys and cyber risk issues.
The Threat Post reported that over 2 million IP security cameras, baby monitors, and smart doorbells have security issues. These 2 million IoT devices are susceptible to attackers hijacking them and spying on the owners. The attackers can easily access the devices without manual configuration. They need peer-to-peer (P2P) communication across IoT devices to hijack them.
The hijackers use iLnkP2P technology developed by Shenzhen Yunni to launch peer-to-peer communication to achieve their mission. This P2P solution can find and take over vulnerable cameras used in the devices remotely.
3) Lack of IoT User Knowledge & Awareness:
Currently, manufacturers are building IoT devices with poor security. The security hazards are weak passwords, insecure data transfer, and storage, hardware issues, etc.
The IoT security risks are at the manufacturer's end. However, the users' ignorance and lack of IoT functionality knowledge are putting them at more risks. In other words, one of the most significant IoT security risks is social engineering attacks, and most users are unaware of it. In simple terms, social engineering attack targets humans instead of devices.
The 2010 Stuxnet attack against the nuclear plant in Iran is a remarkable event to highlight the social engineering attack on IoT devices.
A worker had plugged a USB flash drive into one of the internal computers. Unfortunately, the social engineering attack tricked him. As a result, 1,000 centrifuges were infected and made the nuclear plant explode. Industrial programmable logic controllers (PLCs) were the target point of the attack. The worker's lack of knowledge about IoT devices and social engineering attacks caused this accident.
4) Botnet Attacks:
IoT devices are susceptible to malware attacks. However, the malware cannot threaten a single machine even if it manages to infect it.
However, the real trouble begins when the hacker creates an army of bots by infecting them with malware. Then, he uses them to send massive traffic per second to bring down the target. The intruder can do this because IoT devices lack the regular software security updates that a computer has.
Earlier, we mentioned the Mirai bot attack in 2016, bringing down big organizations like Twitter, Reddit, etc.
The criminals launched multiple DDoS (Distributed Denial of Service) attacks on thousands of IP cameras, NAS, and home routers. In short, a DDoS attack is like an unexpected traffic jam clogging up the highway. The purpose is to prevent the regular traffic from arriving at its destination.
The contaminated IP cameras, NAS, and home routers brought down the DNS that provided services to the big organizations.
Interestingly, botnet attacks infect smart toys and electrical grids, manufacturing plants, transportation systems, and water treatment facilities. Thus, in the industrial scenario, the botnet attack can harm a massive group of people.
5) IoT Devices Hijacked for Ransom:
Imagine you've got an IoT-enabled smart door lock for your home. One evening, your IoT device gets hijacked, and you receive a ransom demand. They block the functionality of your IoT-based door lock. Without paying the ransom, you cannot enter your home.
Such cases with IoT devices are rare, but Ransomware is evolving. Cybercriminals may not let off the opportunity to earn easy money by breaking into an already vulnerable system.
Cloud systems store IoT information, so hackers may not find valuable information to block that's a good part. However, as mentioned above, the devices will stop working, and the owners will be harassed or robbed in broad daylight.
IoT devices like smart toys, wearable, healthcare gadgets, smart homes, and IoT-enabled ecosystems might be at risk of Ransomware.
When IoT toys Turn Evil:
IoT toys connect data and events using Bluetooth, WI-Fi, the cloud, and mobile apps. Earlier smart toys contained microphones and cameras collecting visual and audio data.
With the rapid development of IoT, smart toys now use facial recognition technology. But, unfortunately, it escalates potential threats because 98% of IoT traffic is unencrypted.
Manufacturers aren't using end-to-end encryption to secure the IoT devices yet to combat smart toys and cyber risk issues. So, parents will need to ensure safety for their kids.
The parents need to check out a few things:
Get answers to all these questions and assess if the smart toy may pose any threat to your child before buying it.
Smart toys and cyber risk issues are increasing concern among people. As a result, the U.S. NTIA runs an FTC-initiated working group to develop guidance around securing IoT devices.
In the EU, ENISA has produced guidance "Baseline Security Recommendations for IoT" referring to smart toy security vulnerabilities.
Smart toys and cyber risk issues should be dealt with solemnity, especially when it involves kids. The manufacturers must give importance to the design and development of smart toys to protect them from all ends.
Parents must do their parts and demand answers from the manufacturers regarding the security and risk factors associated with smart toys.
Parents have the right to know everything about the measurements taken to make smart toys safer. Your child's safety and privacy should always come first.