Watchdog Group Claims Smart Toys Are Spying On Kids (mashable.com) 70
The Center for Digital Democracy has filed a complaint with the Federal Trade Commission warning of security and privacy holes associated with a pair of smart toys designed for children. Mashable reports: "This complaint concerns toys that spy," reads the complaint, which claims the Genesis Toys' My Friend Cayla and i-QUE Intelligent Robot can record and collect private conversations and offer no limitations on the collection and use of personal information. Both toys use voice recognition, internet connectivity and Bluetooth to engage with children in conversational manner and answer questions. The CDD claims they do all of this in wildly insecure and invasive ways. Both My Friend Cayla and i-QUE use Nuance Communications' voice-recognition platform to listen and respond to queries. On the Genesis Toy site, the manufacturer notes that while "most of Cayla's conversational features can be accessed offline," searching for information may require an internet connection. The promotional video for Cayla encourages children to "ask Cayla almost anything." The dolls work in concert with mobile apps. Some questions can be asked directly, but the toys maintain a constant Bluetooth connection to the dolls so they can also react to actions in the app and even appear to identify objects the child taps on on screen. While some of the questions children ask the dolls are apparently recorded and sent to Nuance's servers for parsing, it's unclear how much of the information is personal in nature. The Genesis Privacy Policy promises to anonymize information. The CDD also claims, however, that My Friend Cayla and i-Que employ Bluetooth in the least secure way possible. Instead of requiring a PIN code to complete pairing between the toy and a smartphone or iPad, "Cayla and i-Que do not employ... authentication mechanisms to establish a Bluetooth connection between the doll and a smartphone or tablet. The dolls do not implement any other security measure to prevent unauthorized Bluetooth pairing." Without a pairing notification on the toy or any authentication strategy, anyone with a Bluetooth device could connect to the toys' open Bluetooth networks, according to the complaint.
Re: Ahh (Score:3, Informative)
No, it doesn't. Xbox and Windows 10 both require keyword activation, which occurs on the device itself and not over the Internet, to open the gateway to Microsoft's NLP service. These toys apparently skip that important step and record EVERYTHING.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Not disagreeing with the rest of your comment, but streamed voice grade audio requires very little bandwidth.
Re: (Score:2)
Re: (Score:1)
You're really admitting watching that show here?
Throw your geek card into the shredder provided on your way out, please.
Re: (Score:3)
There actually IS such a show ?
Re: (Score:2)
Yes. I couldn't believe it either. What I could deduce from the trailer I had to endure was that it's apparently the current Las Vegas crew with some computer crime angle. The trailer was cringeworthy enough that I didn't want to see more.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Funny)
There's no good reason for a fucking doll (or refrigerator or thermostat or dog bowl or...) to have goddamn internet access.
As a dog, I agree with you on everything except the dog bowl.
Re: (Score:2, Funny)
No, you are a cow. Cows say Mooo. Moooo! Moooo! Moooo Cows Mooo! Mooo you internet connected cow!
Re: (Score:2)
I can see an argument for being able to adjust the temperature of my house before I get home on the rare occasion I'm getting home at an unusual time. I wouldn't get a connected thermostat just for that though.
Re:Trend whores get what they deserve. (Score:4, Interesting)
At least my thermostat doesn't stop working randomly [nytimes.com] and my lights don't turn on and off because someone flew their drone by my house [eyalro.net]. That, and my things don't participate in DDoS attacks [thehackernews.com].
Re: (Score:2)
Give it 5 years and the TV shoots the baby.
Re: (Score:2)
RealityTV taken to a whole new level...
Re: (Score:2)
I have no pity for idiots laying out thousands for pointless SmartCrap. There's no good reason for a fucking doll (or refrigerator or thermostat or dog bowl or...) to have goddamn internet access.
It's like some irresponsible asshole buying a gun then crying when he leaves it out and the baby shoots the TV.
I don't own any but I don't see it as pointless. I can see a very good reason for it. Adults ask siri and google thousands of questions a day via their smartphones. A logical extension of this is a teddy bear for a 4 year old where the 4 year old can ask questions like "what is a raccoon?"
Re: (Score:3)
They're listening. They're learning. They're coming.
They're at least breathing pretty damn hard.
Re:AI will replace your children (Score:4, Funny)
At least the AI won't bring some fruity hipster with a man-bun over to the house for Thanksgiving like my daughter recently did. I mean, he was a nice enough guy and all, but he seemed a little low-T if you catch my drift. I tried to get him to watch football or go out back and play mumblety-peg or strip down to our briefs and try out some wrestling moves, but he demurred. He also wouldn't eat any of the turducken, saying that he was some kind of vegan or something. I mean, what the fuck is that all about? When I was his age, I lived on raw hamburger and Skoal Long Cut.
I guess my dream of my daughter marrying a first-round draft pick out of Alabama or something is just about gone. Well, it is what it is. Kid's will break your goddamn heart. you know?
Re: (Score:1)
> At least the AI won't bring some fruity hipster with a man-bun over to the house for Thanksgiving like my daughter recently did
Oh, brother, you're bringing me back to my youth. A cute enough, rambunctious girl I'd gotten into various trouble with brought me home to meet her parents. I did the dishes: I chatted politics (not football!) with her dad, and discussed my sports. (SCA sword and shield combat at the time.) And we discussed that I was an emancipated minor, accepted to MIT the coming year.
The fo
PizzaGate! (Score:1)
This is all part of PizzaGate's grand kid swiping scheme. I just knew it!
Gotta say (Score:5, Interesting)
I've got to say, this seems creepy to me. It's not just spying on kids, it's spying on whoever is in range. It's basically an open mic in your home, transmitting to god knows who.
Who knows what kind of conversations it might overhear, or how it might be mined for incriminating information. Or how something innocuous might be misinterpreted as grounds for an investigation by the police, CPS, the FBI, etc etc.
I'd bet my ass it's easy to hack to act as a remotely controllable audio bug by anyone with nefarious intent.
Even worse, who's to say the stream couldn't be modified to make it seem like it "heard" child abuse, criminal activity, domestic violence, drug dealing...the possibilities are endless. How would you dispute a recording from one of these things where you were supposedly heard discussing (or confessing to) illegal activity? How would you prove it wasn't real?
If I was paranoid, I'd say that some intelligence organization is pushing these kinds of things in order to establish a covert surveillance network that could be used for all sorts of evil shit. But that's crazy, right? The CIA/FBI/NSA would never want a bunch of microphones in everyone's home, right?
Re: (Score:2)
On the plus side, think of the opportunities for yanking their chains!
Me: Hey, wife! Did you use up the cocaine without replacing it?? You KNOW you're supposed to get more if you use up the last of it!
Wife: Husband, I haven't touched the coke in weeks. Either the kids or the dogs are getting into it. Or you're just blacked out from when you used the stuff up. In any case, there's still plenty of Ecstacy and Heroin, so I don't see what you're getting so excited about....
***and on and on for ten min
Re: (Score:2)
How so? Assuming the husband and wife in this scenario were spinning shit and don't actually have illegal drugs, any raid would prove fruitless. Indeed, wouldn't a raid require a warrant, thus giving away the source of intelligence, that being the toy shaped listening device?
Now, if the husband and wife in this scenario were to, say, jokingly discuss a pending act of terrorism, I'm sure the next stop would be G-Bay. No need to divulge any intelligence sources. Scary.
Re: (Score:2)
TLAs don't like being shown that they're stupid, and they have ways to make you pay for their stupidity.
Re: (Score:2)
I'm sure if they shop around they can find a rubber stamp somewhere. Then they'll come in and literally rip the sheet rock off the walls looking for drugs. Then they'll leave without so much as a vague grunt of apology haven broken literally everything in the house. Be sure to board your pets with friends first if you don't want them shot. Probably should send the kids off too, just to be safe.
Re: (Score:2)
On the plus side, think of the opportunities for yanking their chains!
Me: Hey, wife! Did you use up the cocaine without replacing it?? You KNOW you're supposed to get more if you use up the last of it!
Wife: Husband, I haven't touched the coke in weeks. Either the kids or the dogs are getting into it.
Yeah, after the feds get done tossing your house, confiscate all your shit, put your kids into foster care, and after you bond out of jail, it'll be a hilarious story to tell at the lawyer's office!
Re: (Score:2)
Once they've broken everything you own and emptied your wallets and jewelry box, they'll magnanimously let you "off the hook".
What about all of the other toys? (Score:5, Interesting)
So is a "smart" TV, a laptop computer, a tracker (a more appropriate name for a cell phone or mobile phone which recognizes the activity it does the most), and so many other voice-activated gadgets with network connectivity all running proprietary (read: untrustworthy by default) software. And a lot of these devices have cameras in them too, also under proprietary software control. And virtually all of them have been used by kids for years. Some of these devices have geolocation hardware in them too, that must make it easier to geotag the data the proprietors can acquire, keep, and share. I think it's great that people are finally getting around to thinking about the security and privacy implications when this is presented to them in the form of a toy but really this is far too late in coming.
Departing from the parent comment, situations like this are also a constant reminder of the profound inadequacies of modern-day IT experts who choose to surround themselves with these things, not in an experimental way to investigate them but as consumers who apparently value minor convenience more than their own privacy.
Only software freedom helps you enjoy all of these devices in a way where you, the user and owner of the device, can have a real say in what gets recorded, where that data is copied, and thus who gets access to that data. It's not about shutting these things out of your life entirely, it's about respecting who should control this data.
Of course they do. (Score:4, Insightful)
Re: (Score:3)
We learned not to long ago that many Smart TVs just transmit everything they hear to a remote server in the clear. How many IoT devices are compromised already and are now being used as little attack droids? How about those Sony security cameras with built-in backdoors that was uncovered recently?
These days, your default assumption should be that any internet-connected device has zero concerns for your privacy, and is probably insecure enough to be placed immediately on a botnet as soon as any criminal ca
Re: (Score:2)
The real problem is that companies feel like they can do pretty much anything as long as they bury it in a 90 page EULA somewhere. No need to put "this toy transmits everything you say to us, and we use it to sell you more shit, and sell your details on to other companies" on the box, just hide it on page 36 and most consumers won't even find out about it.
IoT is ripe for some strong regulation. I'd suggest mandatory notifications when vulnerabilities are discovered, unpatched firmware = full refund, and man
Echo (Score:2)
It's just a synonym (Score:3)
Obligatory Simpsons did it! (Score:3)
I may be old, but... (Score:5, Funny)
At least my Lincoln Logs never spied on me.
And I'm so old that when I was five and told my dad I wanted Lincoln Logs for Christmas, he handed me a hand axe, a piece of flint and some beef jerky and dropped me off in the woods. I was out there in my little jammies in the middle of December and let me tell you, it got so cold I had to kill a deer and crawl inside to keep from freezing to death. It was like something out of The Revenant.
Yeah, I had a rough childhood, let me tell you.
Re: (Score:2)
At least my Lincoln Logs never spied on me.
And I'm so old that when I was five and told my dad I wanted Lincoln Logs for Christmas, he handed me a hand axe, a piece of flint and some beef jerky and dropped me off in the woods. I was out there in my little jammies in the middle of December and let me tell you, it got so cold I had to kill a deer and crawl inside to keep from freezing to death. It was like something out of The Revenant.
Yeah, I had a rough childhood, let me tell you.
Bah, you were pampered.
.303 bullet. He slap me, then toss me a block of brass and some cordite, I had to mill my own Christmas present and I used to shoot myself in the foot with that .303 every year on Christmas morning... We didn't have no deer to crawl inside of and keep warm, we had to burn the remains of our hopes and dreams to keep warm then eat snow and tree bark for supper... And we were grateful for it.
Every year I asked my dad for a
Try to tell kids that these days and they'll never believe
Less nefarious than presented. (Score:4, Insightful)
As someone who actually looked and considered it, the toys are less nefarious than they seem to be accused of being. The physical toys are actually just (insecure) bluetooth speakerphone devices. Seriously, you can use the dolls to talk to people on the phone. Where the real danger lies is in the Android/iOS applications. I do not know if the application runs in the background 24/7 but I get the feeling you have to activate it to make the toy "smart" because always being on would cause battery drain issues. If your kid already has their own Android/iOS device then you have already failed on the privacy front.
Six hours later... (Score:1)
Inquiring minds want to know (Score:1)
SPYING!? Bulls**t! (Score:2)
There is a huge difference between "spying on kids" and "security hole". This article and complaint are such crocks of shit.
a corporate magna carta (Score:2)
Back in 2008 when Jennifer Stoddart put the snow boots to Facebook, I came up with what still strikes me as a reasonable compromise, that legal proscriptions against reverse engineering only apply to products promising to collect/report no personal information whatsoever (with Draconian thumb screw stockades for corporations affixing a "does not collect" sticker by means of a cryptochemical Volkswagon-grade adhesive).
It just seems wrong that a toy can A) collect personal information, and B) the user has no
My gosh.... (Score:1)