Internet of Things Attack using Dolls!
IoT Dolls that Spy on Kids, oh my…
It’s no secret: millions of IoT devices have terrible security. Yet people continue to buy them and they continue to surface in cyber attacks. But does the internet of things pose a real threat? What types of IoT attacks are being launched? What vulnerabilities are being found?
Parents in Germany were shocked to learn a doll bought for children could be used to spy on them. Federal Network Agency, a telecommunications watchdog in Germany, advised parents in Feb. 2016 to destroy the talking doll, called My Friend Cayla. Cayla could connect to a smartphone via Bluetooth, giving the doll internet access. This connection allowed it to converse with children, answering simple questions such as, “What’s two times two?” Unfortunately, the IoT doll also recorded children’s conversations and stored them on an online server (yikes!). And it gets worse — the poor security of the doll’s Bluetooth connection could easily allow an attacker to connect and use the toy as a spying device.
The U.S. Federal Trade Commission filed a complaint against Cayla’s manufacturer, Genesis Toys, in Dec. 2016. Here’s the first paragraph of the FTC’s complaint: This complaint concerns toys that spy. By purpose and design, these toys record and collect the private conversations of young children without any limitations on collection, use, or disclosure of this personal information. The toys subject young children to ongoing surveillance and are deployed in homes across the United States without any meaningful data protection standards. They pose an imminent and immediate threat to the safety and security of children in the United States. While no evidence of the doll being used in an IoT attack has surfaced, the size of the vulnerability and the potential impact on children are eyeopening.
Disclaimer: This doll has not committed any crimes that we know of, and is only used for illustration
Want to learn more about Cyber Security? Check our website: http://www.absolutecentral.com