Botnet Barbie: Think twice about buying a Wi-Fi enabled toy this Christmas

In the wake of successful attacks on connected toy manufacturers, security researchers have urged parents to think twice before buying their kids Wi-Fi enabled playthings in the lead up to Christmas.

Ethical hacker and managing director of Whitehack Adrian Wood told CyberShack that parents face three potential risks when buying an internet-enabled toy.

"The risks come from several areas, one being that it might allow for the trivial access to any microphones, cameras or data storage associated with the connected toy," said Wood. "The second main area is that any data stored on a server for this toy, such as passwords or personal information could be accessed maliciously."

"The computing power of the devices could also be used to participate in 'botnets'. In the past, we've seen other connected devices such as coffee machines, fridges and washing machines being used to attack other businesses in denial of service attacks, or to mine bitcoin, whilst the owner pays for the internet or electricity costs of doing so."

Wood's comments come off the back of a hack that left the personal information of almost 5 million parents and over 6.3 million children exposed. An anonymous hacker breached the servers of kid-friendly gadget manufacturer VTech in the middle of November, not only stealing personal information, but photos, voice records and parent-child chat logs.

The toy at the centre of the controversy is the InnoTab 3, a "learning tablet" touting wireless connectivity, a microphone and camera.

Security writer Troy Hunt expressed disappointment at VTech's security failings, pointing to the absence of SSL encryption and properly protected passwords as glaring issues.

"I’ve got two little kids and as a father, this really made me think about the footprints I’ll make for them online," wrote Hunt on his personal site. "What really disappoints me is the total lack of care shown by VTech in securing this data."

These sentiments were echoed by Wood, who described the security as "decades out of date".

The Mattel-made "Hello Barbie" – a toy described as Siri in the form of a doll – is another recent product that has faced criticisms over security concerns. Andrew Blaich, a researcher a Bluebox Security, found flaws in the toy that would allow hackers to intercept the conversations a child has with Barbie. Several of these vulnerabilities have already been patched by ToyTalk, the start-up Mattel partnered with at time of writing.

A Mattel spokesperson told CyberShack that it currently has no plans to bring Hello Barbie to Australia or New Zealand.

Wood says the mindset that these devices are "just toys" is often to blame.

"Across the full scope of connected devices we're seeing these issues, but certainly, from a laypersons perspective the risks of things such of toys wouldn't even entire most people's mind, so they seem to be an even lower priority," said Wood. "I think we're seeing these issues because companies in general didn't take the privacy and security of users seriously, and are often reactive in their measures, saying all the right things after a breach, but not doing anything prior to ensure that it was as minute a chance as possible."

Concerningly enough, there's often no way for parents to know about the security of a toy until after it's already been compromised.

While Wood didn't go as far as telling parents to avoid buying connected toys all together, he said that they need to weigh up the potential risks before making the purchase.

"It really depends on an individual's aversion to risk, and how they feel about privacy."

"Many people would feel uncomfortable if you told them that their Barbie might be spying on their conversation, or pictures of their children playing were available to strangers on the internet. The other issue is that if a company loses a child's personal information, such as date of birth, it will be available on the internet forever."

With more connected toys on the horizon, such as Avaki and the Cognitoy Dino, it seems the best bet is to hope manufacturers take security more seriously. Especially because they're likely to end up on next year's Christmas wish list.

Brought to you by CyberShack.com.au