Investigation Finds Security Flaws In 'Connected' Toys (theguardian.com) 32
An anonymous reader quotes a report from The Guardian: A consumer group is urging major retailers to withdraw a number of "connected" or "intelligent" toys likely to be popular at Christmas, after finding security failures that it warns could put children's safety at risk. Tests carried out by Which? with the German consumer group Stiftung Warentest, and other security research experts, found flaws in Bluetooth and wifi-enabled toys that could enable a stranger to talk to a child. The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets. With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access. Little technical knowhow was needed to hack into the toys to start sharing messages with a child.
Re: (Score:2)
Not necessarily IOT, they're just bluetooth enabled, not internet connected.
Re:IOT (Score:4, Funny)
Intelligent Devices, Internet Of Things.
Made for their acronym.
Re: (Score:2)
Re: (Score:2)
But...Where?
Re: (Score:2)
That Which? carried out the tests are those Who were ill advised on a search friendly name.
Re: (Score:2)
Has anyone really been far as decided to use even go want to do test more like?
Re: (Score:2)
Shocked! (Score:1)
I'm shocked I tell you, shocked.
Re: (Score:2)
Well, not that shocked [youtube.com].
Nintendo DS (Score:2)
The same scare tactics appeared when the Nintendo DS with Pictochat was released. "stalkers" could chat with your child! But what is the wireless range of the devices? 30ft or so? So basically already within visual and verbal range to begin with. But now its exactly the same thing "BUT WITH A COMPUTER" (wait, isn't this the new Slashdot meme for patents, to just take normal every day activities and items, slap "with a computer" on it, and patent it all over again..?)
Re:Nintendo DS (Score:4, Interesting)
The same scare tactics appeared when the Nintendo DS with Pictochat was released. "stalkers" could chat with your child! But what is the wireless range of the devices? 30ft or so? So basically already within visual and verbal range to begin with. But now its exactly the same thing "BUT WITH A COMPUTER" (wait, isn't this the new Slashdot meme for patents, to just take normal every day activities and items, slap "with a computer" on it, and patent it all over again..?)
Except two things.
1) Pictochat only works if you're in the application. Once you exit, you can no longer send nor receive. And on the NIntendo DS, that's trivially easy to do by doing something else on the DS.
2) Bluetooth has a range of 30' to 100'.
If these toys are disregarding basic Bluetooth security, then it's possible for someone to simply establish a Bluetooth connection and potentially listen in, too. Being able to connect to one of these devices and use it as a spy gadget is useful
At least Pictochat is controllable - it only works when it's running. But these toys, if you can commandeer them to listen in 24/7 are far more dangerous
Re:Nintendo DS (Score:4)
Also, the child would have to be old enough to read and write to communicate in pictochat. Not ideal for dealing with strangers, but the toys in TFA could reach younger children who might not properly understand that the voice isn't their toy come to life.
Bluetooth classes (Score:5, Informative)
But what is the wireless range of the devices? 30ft or so?
Bluetooth devices are sorted into classes depending on radio power and thus range.
Your random USB bluetooth dongle is usually a Class 2 device with a range of ~10m (about 30ft)
There are USB dongle that are Class 1 devices with a rande of ~100m (about 300ft).
Also keep in mind that most walls (except steel reinforced concrete) are transparent to the frequency range used by Bluetooth/Wifi/ Wireless-USB/etc.
So by using off-the-shelf parts, an attacker could hack the toys from the street in front of the house.
And that's just the off-the-shelf dongle. The you can basically watch any computer security conference and see people boosting range of various wireless gizmos (RFID/NFC dongles, etc.) to crazy distance.
Cue in demos of mass-hacking use a pringles can-tenna.
(an attacker could scan the whole street using a simple modified bluetooth setup).
A Burglar want to see which houses on a street are potentially empty ? Just mass-scan all the unsecured IoT thingy (Bluetooth enabled toys, Wifi enabled surveillance, etc.) and see which of those only register silence or no visual motion.
You don't say... (Score:3)
What you are dealing with in the "smart devices" world today is what you saw in the computer world about 20 years ago when this "networking" thing was new for developers. They were used to creating software for standalone machines, suddenly they had to deal with the fact that there was a two-way data street connected to their machines. Looking back, we can only shake our heads at the naivete and utter ignorance. Even the last junior developer today will tell you it is a BAD, BAD, BAAAAAD idea to let anything in a browser run out of a sandbox on a user's PC. Still, 20 years ago large corporations thought this is a really smart idea, hey, we're extending the computer by content from the internet! What could possibly go wrong?
They, like us those 20-25 years ago, see a lot of potential and incredible opportunities, while not even knowing how it could possibly be a security concern. Yes, we look at them with contempt and sneer at their ignorance, but understand that these people CANNOT know what kind of security holes they're ripping into our homes.
That doesn't mean that it should be excused or that they deserve sympathy. It only means that we shouldn't buy their junk for the same reason we don't buy cars from someone who has so far only built shopping carts.
Re: (Score:3)
> these people CANNOT know what kind of security holes they're ripping into our homes.
Sure they can - they can do their due diligence and hire someone that knows what the %$@! they're doing. And then *listen* to them. This isn't the 80s anymore - the problems are mostly well understood by, not only experts, but anyone even moderately competent in network security. If you're making an internet-connected device without getting a competent network security person to sign off on it, you should be held just
Re: (Score:3)
So how many people do you know that have a background in IT security AND embedded design? I know one. And I already have a job I'm not about to leave the job I already have.
Embedded development is a totally different beast than "normal" networking stuff. You cannot just take what you learned in your 20 years of writing network applications and transfer it. Twice so when you're dealing with the various legal and technical restrictions in the car industry on top of the other headaches. This isn't as trivial a
Re: (Score:2)
They've already got the embedded developers - they're making products. All they need is the network security expert to review what they're doing, early and often.
Also, having not done networked embedded development, can you enlighten me on what's so different? Obviously you generally have fewer resources to waste on layers of APIs, but the basic protocols are all the same, as well as the fact that you can't trust *anything* coming in from elsewhere to "obey the rules" until you've personally scrubbed it f
Re: (Score:2)
It starts way lower usually. With any hint of bad luck, you not only have to review the SSL implementation, you have to review the IP stack implementation. Many off-the-shelf solutions don't apply due to timing or resources limitations. You can for example usually not simply take any USB implementation because the hardware you have available cannot handle USB 2.0 timing constraints. You cannot waste a few MB of ram on a sensible IP stack implementation because that's literally all available ram you have. Bu
Re: (Score:2)
>you get a security report you simply cannot heed due to the limitations you're dealing with
Keeping in mind of course that those limits are almost completely arbitrary - after all today you can get the equivalent of a low-end desktop PC with a few hundred megs of RAM for $5. Retail. Yeah, it raises the cost of the vehicle slightly to use them, but so do seatbelts, safety-glass windows, engineered crumple-zones,etc,etc,etc.
Unless available power is at a premium, you can always upgrade your hardware. Possi
Re: (Score:2)
And that hardware you want to use is certified for the purpose you plan to use it in? Because if not and ANYTHING happens (whether related to the hardware you use or not), be prepared for a lengthy and costly legal battle that you most likely will lose.
Get it certified? Not really cheaper.
You'd be surprised just how little choice you actually have sometimes.
Re: (Score:2)
That may be applicable to cars - I doubt anyone has ever certified anything related to a web-cam enabled teddy bear.
Even in cars though - if you substantially change the scenario, the certification should be the *first* thing to be updated. The instant you plan to provide any remote-accessible communications channel to the inner workings of a car, suitable security should become part of the certification requirements.
Developers, developers, developers... (Score:5, Insightful)
You get what you pay for. And I'm talking about the software developers here, not commenting on the toys. Company X hires junior developers, or can only retain developers working for minimal pay.
Guess what the quality of their work is going to be? Guess what the company's QA department looks like?
No surprise. Race to the bottom!