Consumer watchdog calls on retailers to stop selling connected toys with proven security issues

The UK consumer watchdog Which? has called on retailers to stop selling popular connected toys it says have proven security issues. These include Hasbro's Furby Connect, Vivid Imagination's I-Que robot, and Spiral Toys' Cloudpets and Toy-fi Teddy. In its report, Which? found that these toys do not require authentication to link to other devices via Bluetooth, meaning that any device within range could connect to the toys and take control of them or send messages. Spiral Toys did not comment. Vivid said there had been no reports of malicious uses of these products but that it would review Which?'s recommendations. Hasbro said it believed the test results had been obtained in specific conditions. Which? also tested the Wowee Chip, Fisher Price's Smart Toy Bear, and Mattel's Hello Barbie but did not find serious security concerns. 

http://www.bbc.co.uk/news/technology-41976031

Writer: BBC
Publication: BBC
Publication date: 2017-11-14
 

What is Privacy International calling for?

As computing becomes embedded everywhere, privacy, security and safety issues converge. In the future, our infrastructure will be insecure and unsafe due to insecure devices and components that are not patched.

As more devices become ‘connected’ and services become ubiquitous, they may generate and collect massive amounts of data in excess of what is necessary for the provision of the specific service or function. For instance, the “always on” nature of connected or smart devices and the granularity of data collected potentially enables the provider and other parties access to vast types and volumes of data.

A mere software update or change in business practice can change the frequency of sharing and the parties to whom data can be transmitted can change at any point in time.

Securing these technologies becomes even more challenging as they are embedded in complex systems, difficult to alter or update for security purposes, and control by the individual is limited.  Too often companies decide for business reasons they will no longer support the software or hardware, including for security updates when vulnerabilities are found, leaving consumers unprotected.

This creates an unsafe environment. Unpatched, insecure, and unmaintained systems and infrastructure leave us vulnerable.

Devices, networks, and services and insecure yet they process more data

Manufacturers and/or vendors must be responsible for the security and privacy design in the products they manufacture and sell, throughout a clearly identified period.

 

Principle 3. Responsible security