In 2015, Mattel announced a digital update to one of the most popular toys the world has ever seen: a new doll Barbara Millicent Rogers, commonly known as Barbie! During the more than 55 years since Barbie was originally introduced, an estimated 1 billion Barbie dolls have been sold in over 150 countries.
Although there have been Talking Barbie Dolls marketed in the past decades, Mattel announced last year that this latest Barbie would be able to interact with the childs words using a built-in microphone and speaker. Most importantly, the spoken words of the child, recorded by the microphone, would be sent to cloud-based database systems, where they could be analyzed and used to customize the vocal responses from Barbie to the childs words.
Parents could then access a Mattel website to select what discussion topics are allowed, create and store audio files of the conversations between the child and Barbie, and other interesting capabilities, all for a very popular childs toy.
Whoa, this all sounds pretty neat and an awesome consumer application of IoT functionality, but imagine the potential implications for security and privacy! We have plenty of adult consumers who dont totally understand the impact of security breaches. Now, wed be expecting elementary school age children (or younger) to deal with the repercussions of a security breach. This could negate one premise of security implementations: the ability to detect breaches. Of course, children cannot be expected to recognize them!
Not the First ToyWith IoT Security Concerns
An earlier Internet-connected doll, Cayla from Vivid Toys, had an easily demonstrated security weakness. The Bluetooth implementation in the doll had virtually no protection at all, and Cayla could easily be used to spew words that no toddler should ever hear.
Vivid Toys claimed that no security breaches occurred in the hundreds of thousands of Cayla dolls that have been shipped, but the concern remains. A security protection update from Vivid Toys is insufficient to prevent the problem from occurring security experts have easily shown that rejection of speech from a list of unacceptable words is not a viable solution.
One could argue that the use of Bluetooth in Cayla limits the potential for a security breach, since it is quite short-range (although the information is sent on to the Internet for analysis and responses). However, the new Barbie uses Wi-Fi to communicate to Mattel cloud servers controlled by its website through the toy owners household Internet connection! The words spoken by the child are sent to the servers and used to customize a vocal response Barbie speaks the response words to the child.
Parents have to identify themselves by logging into the Mattel website to manage their childrens information and other controls. And we know just how secure that can be, right? If hackers break into the Mattel system, or the parents use weak passwords, the childs recordings could easily be exposed to the world no system is perfectly secure from the attacks being mounted. These recorded conversations could easily include far too much information on the child.
The difficulty is that companies even large corporations do not seem to understand the security implications and concerns or implement security solutions in their IoT connected products. It is a new experience for them the issues of product development, cost reduction, manufacturability, ease of access, etc., are more important pressing issues.
When security is implemented, it tends to be an afterthought possibly after a security breach occurs or is demonstrated rather than a conscious up-front design effort.
Unfortunately, this isnt the only time that an Internet-enabled consumer product has exposed young children to breaches that could result in harm to the child not just privacy issues.
Security of Internet-Connected Baby Monitors
Some years ago, there were reported instances of people gaining access to Wi-Fi-enabled baby monitors with two-way audio and video capabilities. The persons using the monitors were able to see the children and their parents and interact with them and speak to the children!
Most disturbing were the individuals who used profanity at infants and toddlers. Some could clearly see into the childrens rooms in some cases, they addressed the children by name because of the childs name was printed on her bedroom wall. The video camera was essentially open to access.
These issues highlight a concern that must be addressed quickly before the breaches lead to dangerous outcomes. Companies who are just getting into the IoT markets, particularly with products for children, must take extra care to ensure that security breaches do not lead to loss of privacy. Or, worse, a safety issue for the consumer or their children.
Security implementations for consumer IoT products must be part of the design process, with a conscious analysis of the consequences of security breaches, with appropriate solutions to ensure general public safety and reasonable consumer privacy. This is far more important for children than adults!
As you build security into your IoT products,our whitepaper canhelp youreview what you must consider during the design of yourdevices, the transport of data, and across the overall application.