If a Toy Isn’t Protected, Should It Even Be Connected?

Dean Coclin
3 min readSep 7, 2018

In 1995, kids everywhere fell in love with Woody and Buzz, ultimate frienemies from the Pixar film Toy Story. This first-of-its-kind animation had millennials enthralled by the idea of their toys coming to life. But, as they say, be careful what you wish for. Just a generation later, those same millennials who dreamed of lifelike toys are now trying to protect their kids from, well… lifelike toys.

Today, you can buy your kids toys like a WiFi-enabled toothbrush that turns a daily chore into a video game, a GPS smartwatch that tracks their location and even a doll that can carry on a conversation with your child, remembering its owner’s preferences, just like Woody. Many of these toys use Internet-connected microphones, cameras and remote controls that collect data on your child’s behavior. Worse, some can be remotely controlled by malicious hackers using even amateur programming knowledge. As a demonstration, one hacker took control of a stuffed animal and programmed it to play a disturbing message to his child.

Another company, which sells Internet-connected stuffed animals, admitted to exposing around two million voice recordings — many of which were recorded by children. On top of that, the breach leaked the personal information of nearly one million customers. This toy has since been removed from Amazon, costing the manufacturer a significant chunk of revenue.

What are the most common vulnerabilities in connected toys?

Factory default passwords are one of the most common problems plaguing connected devices today. Often, these default passwords can be cracked in a matter of a few minutes, unless the user changes the password to something custom. But even with password protection, information about your child is still being shared over the Internet without being kept private. This data can be sold on the dark web or even used to demand a ransom. Digital certificates solve this problem by encrypting any data communicated from the toy to a server, cloud service or anywhere else.

A recent model of the Hello Barbie doll used SSL/TLS certificates to encrypt the initial configuration. As another layer of security, Barbie uses signed code that can only be modified with a proper signature. Still, the manufacturer asked itself a more basic question: “Does this toy need to be connected to the Internet at all?” In the end, they decided that instead of connecting to the WiFi, this Barbie would use pre-recorded messages to respond to user questions.

Why do so many connected toys lack security features?

A core issue with consumer products is that they are driven by cost and time to market, which often leads to toy manufacturers not building security into the design of their product. The profit motive is strong and consumer devices have yet to receive significant backlash for dangerous security breaches, when compared to medical devices, connected cars and other IoT products.

The security of connected toys hasn’t been on the radar for most consumers -but that’s changing. Manufacturers should see this as an opportunity to differentiate themselves from their competitors and protect their bottom line. A properly implemented security solution built into the design phase is much more cost-effective and worth a little extra time when compared to the alternative of negative publicity and shrinking sales if a security issue does arise. If it isn’t protected, should it be connected?

If you’re designing a new toy, ask yourself whether it truly needs to connect to the Internet. If it does, one of the best ways to save time and money is to build security in upfront. Things have changed in the two decades since Toy Story’s release. What hasn’t changed is our fascination with making our toys come to life. Just this month, a Pixar employee announced that Toy Story 4's release date will arrive summer 2019. What will we do in 2019 to make our off-screen toys better and safer?

--

--

Dean Coclin

PKI guy helping to evangelize security for connected devices at DigiCert