The nightmare before Christmas: Cybersecurity risks for children’s toys

The lack of a legal framework to protect children’s toys against cybersecurity risks could have damaging consequences, a leading European consumer rights group has warned ahead of the Christmas festivities, advising parents that some of those toys should not even be kept at home.

Ursula Pachl, deputy director general of BEUC, raised several pressing issues related to the vulnerabilities of children’s ‘connected’ toys, including voice-activated dolls, GPS watches, and ‘smart’ robotic devices.

“There are a number of serious problems as regards children’s toys that can record and transfer data,” she told EURACTIV on Thursday (20 December).

“It’s better not to have these sorts of things in the house for the time being,” she said.

Bluetooth blind spot

Pachl made reference to a study conducted by the Norwegian Consumer Council in 2016, in which several specific toy models were exposed for having security flaws.

For example, the ‘My Friend Cayla doll’ is an interactive device that connects to a mobile phone application via a bluetooth connection. The doll is voice-activated, answering questions from a user by accessing information garnered from websites such as Wikipedia.

The toy continues to be available on the market, despite the fact that, in Pachl’s words, there are “no basic security features” in the product, alongside the issue that users are not easily able to delete the data extracted by the toy.

In the 2016 report, the vulnerabilities surrounding Cayla’s bluetooth functionality were revealed, with the study concluding that the device could be easily intercepted remotely by way of a bluetooth signal.

EU suffers major cyber-security scandal with publication of 1,100 secret cables

A trove of hacked EU diplomatic cables made available to the New York Times revealed no major secrets, but displayed the remarkably poor protection of routine exchanges among EU officials.

“This means that anyone within a 15-meter radius can connect to the toys as long as they are turned on, and not already actively paired with another device,” the report reads.

“By simply turning on a phone’s Bluetooth-function and pressing the “Top Toy Cayla” prompt, the phone can be used to play any form of audio directly through the toy, effectively making it a Bluetooth-connected speaker.”

In practice, this could mean that an individual standing outside someone’s house could easily connect to this particular doll via a Bluetooth signal. They could then extract an unlimited quantity of data recorded on the toy’s embedded microphone device, in addition to transmitting their own messages through the device.

“A stranger could easily take control of the toy and speak to your child,” Pachl said.

The Chinese question

The risks are not only confined to the toys studied as part of the 2016 research project, with Pachl saying that there is “rarely a good level of security protection in children’s products” due to the fact they are often produced cheaply in China.

Estimates say that China manufactures approximately 80% of the world’s toys. The country has long been under the spotlight for its poor cybersecurity standards and in early December, Commissioner for the Digital Single Market Andrus Ansip told reporters that “Europe should be worried” about the cybersecurity risks surrounding Chinese companies.

Moreover, on Thursday (20 December), the UK’s National Cyber Security Centre, alongside allies, revealed the global scale of a Chinese cyber campaign targeting intellectual property and sensitive commercial data in Europe, Asia and the US.

“This campaign is one of the most significant and widespread cyber intrusions against the UK and allies uncovered to date, targeting trade secrets and economies around the world,” UK Foreign Secretary Jeremy Hunt said in a statement.

“These activities must stop. They go against the commitments made to the UK in 2015, and, as part of the G20, not to conduct or support cyber-enabled theft of intellectual property or trade secrets.”

With so much negative publicity surrounding Chinese cyber intrusions, the concerns related to a marketplace in which China dominates are well founded.

“Toys that are imported should be secure. Security must be a feature of connected products,” Pachl said, in the context of Chinese cybersecurity issues.

She added that although the EU has a toy safety directive, the bloc should also have toy security legislation in order to ensure adequate protection from malicious intentions from foreign agents.

“Everything that is placed on the European market should not only be safe but it should also be secure,” she said.

EU negotiators reach agreement on cybersecurity act

Representatives from the European Commission, Council and Parliament on Monday (10 December) evening banded together to strengthen the bloc’s Cybersecurity efforts, reaching agreement on the EU’s cybersecurity act.

EU legislation

European Union legislation on cybersecurity is unlikely to allay concerns.

The recently adopted Cybersecurity Act, which establishes a certification scheme for a range of products will not be sufficient to protect children’s toys, Pachl says. The Commission is still due to decide the scope of specific products that will be subject to the certification scheme.

“It’s not enough to establish voluntary measures, as is the case with the Cybersecurity certification framework,” she said. “It’s very unlikely that the products that eventually fall under the Commission’s scope will end up being low-cost items, such as children’s toys.”

For Pachl, consumers should be better informed as to the privacy risks related to children’s toys this Christmas, and she hopes that cybersecurity eventually becomes a “mainstream consumer topic.”

The ramifications of not doing this, she said, would be far-reaching and could impact not only the lives of our children but also civilisation more generally.

“In the ecosystem of the Internet of Things, each and every weakness can be exploited to affect our societies as a whole,” she said.

Subscribe to our newsletters