• Almost every day a number of devices are reported to have vulnerabilities. Today it is children’s connected toys.
  • Several security flaws including lack of authentication for device pairing were found in toys sold this holiday shopping season.

Researchers at NCC Group and a consumer group ‘Which?’ together tested the smart toys from several top brands including Mattel and Spinmaster.

What did they find?

Many of the toys were found to be missing authentication when connecting to a device for pairing.

  • This authentication ensures that the toy is connecting to a legitimate source. When it is missing, the toy can potentially be open to a variety of attacks that may endanger the kids.
  • During the research, it was found that walkie-talkie devices of the same brand as that of the toy could be effortlessly paired and used to communicate with the child, from a distance of up to 150 meters.

Another flaw they found was that some toys required logging into certain websites for updates or downloading certain features. These websites were missing encryption and consequently exposing account and session data to being intercepted by almost anyone.

Researchers also found another vulnerability associated with some of the toys. The websites indicated whether a username or email address was already registered. This could potentially allow attackers to launch brute-force attacks to obtain registered usernames and email addresses.

What they’re saying

“While the onus should never fully lie with parents or guardians, checking that the product literature has sufficient reference to security and privacy before purchasing should be the first step. And if concerns persist after purchasing the device, supervision should always be performed on toy operation and any accompanying online activity and use,” said the NCC Group, that was a part of the research.

“Safety is top priority with every Singing Machine product produced, as demonstrated by our 37 year history without a product recall. We follow industry best practices as well as all applicable safety and testing standards,” said Singing Machine in a statement.

Cyware Publisher