The holidays are right around the corner, and there’s nothing better than seeing a child’s face light up when they unwrap the new tech toy they’ve been dreaming of for months. Robots, drones, and child-friendly smartwatches are topping this season’s list of recommended gifts. But security experts are warning parents: not so fast. You might be inviting a spy into your home.
Many of these toys have been designed with insufficient regard for privacy and security. Some are easily hacked via unsecured Wi-Fi connections, allowing any potential predators within range of the network to spy on children and other family members through the microphones or video cameras installed on these gadgets. Germany has even gone so far as to ban “child-friendly” smartwatches altogether. The potential for somebody to hack into the watch and obtain GPS or contact information is too real a risk to ignore.
We wanted to see how these toys performed for ourselves in a lab environment, so we invited Sarah Jamie Lewis – a top security researcher – to dig deep to expose the most concerning vulnerabilities of several of this season’s hottest toys. Read on to find out which ones are best left on the shelves or check out the smart toys research report in full (currently redacted of specific details of vulnerabilities on the basis of public safety).
Espionage by Electric Vehicle
While this video-enabled remote controlled car is fun to play with, this toy is one of the most vulnerable of 2017. The camera on the front of the vehicle sends video data to the app on a compatible iOS or Android smartphone, making the driver feel like they are a first-person player – awesome, right?
Not quite. The danger is that all of these data are shared through an unencrypted Wi-Fi connection. It only took 14 minutes in our test to hack this connection, meaning a snoop can gain total control – they can drive around and film anything they want.
Spy in the Sky
Drones used to be too expensive to be kids’ toys. For adults and professionals, some can come stacked with features. They can include thermal imaging, 4K video, and long-range capabilities, and they’re often designed with security in mind at the forefront of production. The Sky Viper, on the other hand, was designed with everything but safety in mind.
Like the Nomad, the Sky Viper is operated via an unencrypted Wi-Fi connection to an app on a smartphone. Hackers can quickly gain access to a live video feed and any stored videos or images on the device. The hacker will have a bird’s-eye view of your child’s home, school, or wherever they’re operating the drone. If your child desperately wants a drone this holiday season, we think it’s worth doing your research and spending a little more to find one that is secure and immune to hackers.
Who Watches the Watchers?
The intended purpose of the Q50 smartwatch is to allow parents to track the whereabouts of their children. Ideally, the tracking feature on the watch would prevent a child from becoming one of the over 700,000 missing children reported in the U.S. and U.K. each year. However, the designers of this watch may be unwittingly contributing to this problem by leaving the system open and vulnerable to anybody with basic hacking skills.
The watch comes with a default six-digit passcode that’s easy to guess: 123456. Users are not prompted to change the default code, meaning most keep this easy-to-remember sequence as their only form of security. Once a hacker knows the passcode, they can pose as a parent and send false messages. They can alter the GPS coordinates to make it appear the child is where they are supposed to be (even if they are not). They can even gain access to the microphone to listen in on the child’s conversations. We would highly recommend that parents not purchase this product until manufacturers have taken measures to boost security.
A Vulnerable Videomobile
There’s a reason “The Fast and the Furious” franchise keeps churning out movies. People love fast cars. This toy hands over the controls to eager fans and lets them drive the car through an app on their phone. We’ve already seen how video-streaming capabilities in toys can be a common entry point for malicious attacks, so you can probably guess at this point that the Air Hogs FPV ought to stay parked until a safer system is created.
While strangers can’t gain control of the vehicle, they can access live video streams, which they can then record and store. They will be able to see everything the child sees, including their home and anyone else the camera spots.
Double Agent Dinosaur
There’s no going incognito with Cognitoys Dino. This educational toy looks innocent enough, and, compared to other toys, isn’t quite as insidious. It’s more difficult to hack, but anybody with the necessary skills can break into the unencrypted Wi-Fi connection that is required to set up the toy.
If a hacker is successful in accessing the toy, the user’s Wi-Fi home password is exposed, and the hacker gains access to the voice recordings your child makes. Who would think such a cute toy would allow unauthorized access to your home Wi-Fi network?
A Double-Faced Droid?
No Bothan spies were needed to infiltrate this toy. In our hacker lab, we were easily able to gain control of the droid through an unauthenticated Bluetooth connection. Once in, we were easily able to activate the strobe setting, creating fast frequency light flashes. We were also able to begin to create a crude map of a room by piloting the droid around remotely.
Due mostly to the limited capabilities of the BB-8 (it lacks a camera or microphone), and the much shorter range of Bluetooth compared to Wi-Fi, this droid is the safest product on our list this year. But while it might not represent a high level of danger, the lack of Bluetooth authentication indicates that even the safest toys don’t always take security measures seriously enough.
This Year’s Rankings
Holidays are for you and your family, not a creepy neighborhood hacker. We encourage parents to choose among the many safe gifts on the market. Our Privacy Central blog is an excellent resource if you want to learn more about secure networks and precautions you can take to minimize your vulnerability online.
Top10VPN.com is the world’s largest VPN comparison website. It rates and reviews the best VPN services to help protect consumers’ privacy online. The company also aims to educate the general public about the privacy and cybersecurity risks through its free online guides and resources.
About Sarah Jamie Lewis
Sarah is an anonymity and privacy researcher working on projects that help people take control of their own security. She has worked on preventing fraud through adversarial machine learning, discovering and exploiting weaknesses in telephony and networking protocols, and has conducted multiple security assessments of large e-commerce sites and back-end systems.
She publishes articles about the security of the darknet through mascherari.press – an independent organization, which researches and publishes news articles and technical reports on anonymity, privacy, and security to help activists, journalists, and others protect themselves online and off.
Each product underwent a variety of assessments designed to test their privacy and security.
- Passive Network Monitoring: Each major product feature was triggered and any networking traffic recorded for examination of privacy and security issues. This phase assessed:
- If the product used Bluetooth, Wi-Fi, or other radio communication
- If encryption is being used by the product and any associated applications, and if the encryption being used is sufficient to maintain privacy and security
- If data sent by the application are vulnerable to network interception
- Active Application Security Assessment: A selection of features of each product underwent further testing to ensure they were not vulnerable to being actively exploited by an adversary. This step examined:
- If the product had any security issues that may endanger the safety or privacy of a user
- That the data being collected are reasonable and appropriate
Fair Use Statement
Feel free to use the findings from this page on your own website, article, or blog post for noncommercial purposes only. All we ask is that you link back to this page to properly credit the study’s authors.