Sensors and security holes are common companions on a range of connected toys and consumer devices available to consumers this holiday season.
Germany’s telecommunications regulator made headlines last week by ordering citizens who had purchased smart watches for their children to have the devices destroyed. The devices, equipped with microphones and GPS locators were little more than surveillance tools that violate that country’s privacy laws, the Bundesnetzagentur declared.
But smart watches are hardly the only sensor rich and vulnerable devices out there. Surveys and audits of a range of other connected toys and consumer devices reveal that sensor rich- and vulnerable devices abound this holiday shopping season, with many at risk of becoming spies under the Christmas tree.
In one example, a survey of a range of connected products by the Russian anti malware firm Kaspersky Lab found that cameras and wireless Internet connections have become go-to features even on products where they make little sense.
The company wrote about a battery charger that sports a wi-fi hotspot and a companion mobile application for remote monitoring as it recharges a range of consumer grade (3v to 12v) batteries. A robotic vacuum cleaner Kaspersky studied also sports a wi-fi hotspot and a camera so that owners can get a vacuum-eye view of their living quarters. A child’s remote controllable car has both a video and still camera and an audio speaker, turning it into what Kaspersky dubs a “smart app controlled wireless spy vehicle.”
The problem isn’t just that modern-day consumer devices are lousy with cameras, GPS and other sensors. It is also that they often come riddled with security weaknesses, including the use of weak passwords and insecure wireless communications. Those security holes leave them vulnerable to being compromised by either distant or proximal attackers.
In Kaspersky’s audit of connected devices, a number of security weaknesses recur across products. Most come with default passwords that are not device specific and that are easily discovered in print or online documentation. The password for the “smart” battery charger was “11111” – a value published in the device’s documentation. The wireless spy car didn’t require any password. Brute force protections were rare. Those prevent attackers from simply trying to log in hundreds or thousands of times until they get the right password.
Even more common is the use of outdated software – specifically variants of the Linux operating system – and unencrypted communications protocols like Bluetooth, Bluetooth Low Energy (BLE) and HTTP to transmit sensitive information from the devices and the (mobile) applications controlling them. Such lapses mean anyone with access to the same network as the individual managing the device could snoop on that traffic and, potentially, intercept sensitive information like user names and passwords.
Kaspersky isn’t the only firm to discover lax security in connected toys and consumer devices being sold to consumers during the holiday season. The security firm Context security took a look at the Furby Connect doll and found similar problems to the researchers at Kaspersky. For example, the device, which communicates via Bluetooth Low Energy, doesn’t use any of the BLE security features like authenticated pairing or link encryption. “This meant that anyone within range of the communication could intercept unencrypted packets, inject their own content, or establish their own connection with the toy – all without any physical interaction required on the part of the user or the attacker,” the researchers wrote.
There are plenty of caveats to these security warnings. Many of the toys and consumer devices that are being warned about are low-value targets for hackers and hold little data of use to cyber criminals. However, the presence of sensors like cameras, microphones and GPS location trackers on these low-value, inexpensive endpoints does present a serious risk to both individuals and corporations.
In our most recent Security Ledger podcast, researcher Ken Munro of Pen Test Partners notes that toys and other consumer devices are often marketed as “Internet safe” and secure, but that there is no independent standard against which consumer can measure such claims – and the claims themselves are often little more than marketing.
Munro said that, while toys like dolls and cars aren’t designed to be surveillance products, that’s a distinction without a difference. “I don’t think manufacturers set out to create an invasive product,” Munro said. Rather, the companies typically are motivated by a desire to get a product to market quickly and make a buck. “Nobody thought to raise the question of security, just through probably ignorance and a lack of time.” The result is products that could be used for surveillance by a wide range of actors, from nosy neighbors to financially motivated hackers.
The best solution for now may be to simply avoid products that sport both Internet connectivity and sensors, Munro said.
That, in the long-term, may complicate adoption of Internet of Things devices for the home and workplace. A survey by the firm Gemalto found that consumers (90%) and businesses (96%) overwhelmingly support IoT security regulations. Gemalto found that 65% of consumers were concerned about a hacker controlling their IoT device while 60% were concerned about data being leaked, Gemalto found.