The world of Internet-connected devices targeted at children is a magical one. Toy dinosaurs can learn and communicate with a growing child, teddy bears can transmit messages overseas to military parents, and talking dolls can communicate with children via speech recognition software. But this connectedness comes with a price.

Recent hacks on IoT toys are an indication that when children’s privacy is breached, the ramifications are serious. Before rushing to market with the latest IoT toy, cybersecurity experts urge companies to approach security before they even build the product, not after a hacker gets into the device of a five-year-old.

Another day, another breach
There’s still much chatter in the cybersecurity and hacker community about the Spiral Toys brand CloudPets, which are toys that let parents and children send personal messages back and forth. Parents can send messages using a CloudPets app, which is then approved and delivered wirelessly to the toy.

RELATED CONTENT: Series of missteps leaves smart-toy brand CloudPets database exposed

It was in mid-February when Ryn Melberg, a cybersecurity expert and agile consultant, starting seeing discussions about a possible breach with this product, but it wasn’t until the end of February that the company acknowledged the breach.

According to Melberg, hackers are always skimming and looking for unprotected servers. When they stumbled upon this toy’s huge data cache — which wasn’t protected behind a firewall — it was exposed.

Melberg added that hackers took a Bluetooth extension and went around neighborhoods, discovering a few CloudPets toys, and found that none of the Bluetooth receivers in the pets were encrypted.

“You would think something like this would have dual encryption,” said Melberg. “Most [devices] do, and you have to be able to log in to the app and then log in to the Bluetooth connection. So several other hackers tried this and found all the toys were open, and then they started to expose it.”

To make matters worse, Melberg said malicious hackers can get into the Bluetooth receiver and have control over the toy. If the hacker is clever enough, they can piggyback code onto the message, thus controlling the toy remotely.

Melberg said the cybersecurity community is discussing the fact that these toys are military-friendly, meaning some mothers and fathers can use CloudPets to communicate with their child when overseas or in active duty.

“When it comes to specifics about the toys being hacked, I have been watching for [Spiral Toys] to respond and I haven’t seen anything,” said Melberg. “I’ve also been waiting for the military to respond and I haven’t seen anything.”

Password policies and protection was another security concern of these toys. According to Bojan Simic, CTO and co-founder of HYPR, a biometrics security company for IoT, the data compromised contained email addresses and passwords. Chances are, some of these users reuse the same email passwords and passwords as they do with their banking, LinkedIn, and other private accounts, said Simic.

A hacker can compromise one system that doesn’t have security in place, like the CloudPets toy, and then go after another weakest link with the same credentials that were stolen. Hackers can then gain access to other resources they find useful, said Simic.

“[Passwords] have been an ongoing issue for four to five decades,” said Simic. “We have to eliminate the password from the question entirely. That way you don’t let people hurt themselves because clearly, they are not learning, and each breach shows us that.”

There are other ways to protect IoT devices besides passwords, like fingerprint sensors, facial recognition, voice recognition, and secure eye recognition. Embedding these multi-factor authentications is an efficient way to secure connected devices, according to Simic.

Getting security right
On a positive note, Elemental Path, the company bring toys to life with its CogniToys platform and its IBM Watson-powered dinosaur smart toy, said it’s treating security and privacy as a top priority.

To protect their users, John Paul Benini, founder and CTO of Elemental Path, said they encrypt traffic to and from the dinosaur, with each dinosaur generating its own set of keys. Even if one dinosaur is compromised, no other dinosaurs’ information is encrypted in the same way.

The toy is also cloud based, so Benini said they are constantly updating the security behind it. Since their users are around five-years-old, they completely anonymize all the interactions outside of the system. This way, it can’t get tracked back to the original child.

What about the audio transmitted from the dinosaur to the child, and vice versa? Benini said that they run an analysis on the audio, in order to improve the speech recognition of the toy. The analysis is completely disjointed from the toy itself, and it’s anonymized and has a data store completely set in a separate location.

“Because we stream everything, that audio doesn’t even exist,” said Benini. “It’s not stored, you can’t get to it.”

And their application is only there to set up provisioning of the toy, just to set up the dinosaur on the home Wi-Fi. Outside of that, the application is where the parent can accept the terms and conditions, set up a profile, and only those items are needed so the dinosaurs can interact and talk with the child.

Because children’s private information can be a liability, all of the information that is not relevant to a game or story or activity is left out, said Benini. If a child says their favorite color is red, that could be incorporated into a story. If a child says they go to “xyz elementary school,” that information is left out.

“We like to think we’ve done a pretty good job with security thus far,” said Benini. “[The dinosaur] has been updated, we have another security patch coming up soon, and we are testing it now.”

Benini mentioned they were alerted of something under the hood of the toy, which wasn’t necessarily a vulnerability, but it was something a security researcher suggested they take a look at.

“A security researcher told us, ‘Hey, you can do this better.’ And we said, ‘Yes we can,’” said Benini.

Guidelines for IoT-loving parents
Melberg said while it’s up to these toy companies to take proper security measures to secure their devices, it’s also important that consumers understand what steps they can take to protect themselves.

“I do my best to say please never, ever connect to any Internet that isn’t secured,” said Melberg. “I don’t care if it’s Wi-Fi or Bluetooth, just don’t do it. So when I have people ask me about toys like [CloudPets] I say, do you have to authenticate? If it’s no, don’t buy the toy. Can you change the authentication? If it’s no, don’t buy the toy.”

It’s important to understand all of the features and functionality of an IoT device being brought into the home, especially if it will be used by a child, said chief research officer of SecurityScorecard, Alex Heid.

He suggests parents understand if and how the devices interact with computers or the Internet, and they need to understand if there are any authentication mechanism related to the product or service. Parents should understand what data is actually being collected by the company and stored or shared, said Heid.

As boring as it seems, becoming familiar with the user manual, privacy policies and terms of service will oftentimes reveal surprising conditions that are accepted by the general public without any second thoughts,” said Heid.

Website and online services directed to children under 13 are also heavily regulated under the Children’s Online Privacy and Protection Act (COPPA). Companies handling this data generated by minors should be even more diligent about their information security practices because of COPPA and standard compliance acts, said Heid.

Despite these rules and regulations, there is a general consensus from the cybersecurity community that we are going backwards, said Melberg. IoT continues to expand and it is being applied to more consumer products, yet there seems to be a decrease in understanding of the security that is necessary, she said.

“This is something that has the community concerned,” said Melberg. “Part of it comes down to how few people understand cybersecurity. Then we need to provide guidance on how to apply it to a service or product, because these mistakes are avoidable. We need to make security a part of consumer products.”

Which means companies that are racing to get their device to market should really stop and think about security, because unless “someone really takes the security part seriously, we are just going to see worse and worse hacks in the future,” said Benini.

He said the responsibility of security is an overarching issue of IoT in general, where the promise of the Internet of Things is really turning into the “Internet of Terrible Things,” said Benini.

“Everyone is out there racing to put something on the market, but no one is stopping to think, does my refrigerator really need an IP address?” said Benini. “Companies that are releasing these IoT devices are shirking the responsibilities and they are not securing the devices either.”

There are a number of steps companies can take to ensure that any data stored or transmitted is encrypted. That’s the easiest thing that can be done, said HYPR’s Simic. The second thing to do is to allow time for penetration testing before the product is released.

This way the company can know that at least a third party or a person with a security background and knowledge approved and tested the device at least once, said Simic.