What Does the Teddy Bear Say?

Imagine it’s the week before Christmas 2016, and you want to buy a gift for your grandchildren. Because you live across the country, you don’t get to see them very often. But, of course, you don’t want them to miss out on having you in their lives. Fortunately, you see an advertisement for a teddy bear—the sort of holiday gift you know that your grandchildren will love.

It looks like a standard-issue teddy bear: furry, brown ears; a soft, round belly; wide, playful eyes; and a big, bright smile. But it differs in one crucial way. This stuffed animal, known as a CloudPet, connects to Wi-Fi, which allows your grandchildren to hear the exact messages you record for them repeated back each time they squeeze the toy’s foot.

You don’t give this feature a second thought until February 2017, when you’re notified that nearly 2.2 million voice recordings have been exposed, affecting more than 800,000 users. You suddenly realize that the messages—the voices of your young grandchildren—that you thought were private are now available to the whole world. But this frightening incident isn’t unique. Rather, it’s just one example of the increasing vulnerabilities of insecure Internet of Things (IoT) devices in today’s connected world; by 2020, these devices are estimated to reach 20 to 30 billion units. As a result, it’s crucial that consumers know what’s at stake, especially for children, when using even the most mundane of IoT items.

While simple and sweet on the outside, CloudPets, which were discontinued after the breach became public, actually contained some complex technology. Using a mobile app, users were instructed to record messages, stories, lullabies, and songs with their cell phone. A third-party service, MongoDB, stored the messages on a database, and then replayed them through the CloudPet’s speaker when activated. Children, too, could return messages using this process.

The breach was apparently possible because MongoDB stored the data in a public-facing network—one that didn’t require authentication to access—making user information accessible to hackers. On top of that, since a complex password wasn’t required, hackers could easily guess the most common ones—“qwerty,” “password,” “12345”—and log into accounts. While Spiral Toys, CloudPets’ parent company, claimed to have been made aware of the breach only in February 2017, Troy Hunt, the researcher who verified the breach, wrote on his blog that someone who’d tipped him off had attempted to contact the company about the breach multiple times but got no response. “Unfortunately, this one was ridiculously easy,” Hunt said of the incident to the Huffington Post. “The company that runs the service left their database public on the internet without a password and people found it. It was that simple.”

For several reasons, attacks against children’s devices are especially dangerous. First, while security is a serious concern for most parents and many feel confident using parental-control settings, surveys suggest that consumers are unfamiliar with appropriate steps they can take to ensure the privacy of their families. Moreover, despite the growing vulnerability of data, the general public still lacks nuanced understanding of IoT’s scope, and even what the term really means. This knowledge gap, in turn, puts everyone, particularly children,  at risk.

Second, children can’t grant consent to have their data collected. Under the Children’s Online Privacy Protection Act, companies that direct their online services—specifically, services that “collect, use, or disclose personal information from children”—to children under the age of 13 must first obtain verifiable parental consent. But in light of recent privacy breaches, it’s clear that the government ought to require makers of children’s products to take additional steps to safeguard children’s data and privacy.

And third, relatively small and new manufacturers of items like toys are often ill-equipped to securely manage data from internet-connected devices. Connected products are a growing market, and soon everyday devices—toys, yes, but also irons, microwaves, refrigerators—will be able to store terabytes worth of data, from our addresses and phone numbers to conversations we have in these items’ proximity. Consumers will undoubtedly have concerns about how companies respond to these technological trends, and it’s important that they take them seriously.

As I mentioned above, the galling truth is that CloudPets scenario isn’t a unique one. There have been multiple examples of connected toys that have had similar security vulnerabilities, which have typically been made possible via unsecured wireless and Bluetooth connections, poor data privacy policies and protections, and sharing data with third-parties.

For instance, in 2015, researchers discovered that Mattel’s latest version of the Barbie doll, Hello Barbie, was easily hackable for surveillance purposes. Hello Barbie converted voice requests into text via a third-party and then submitted this data to a search engine to generate responses. When connected to the internet, researchers found that hackers could access users’ account information, stored audio files, and the microphone to communicate with and listen to the child.

More recently, and much like Hello Barbie, German authorities in 2017 learned that My Friend Cayla, a popular internet-connected doll, allowed any Bluetooth-enabled device within 10 meters to access the doll’s microphone and speaker. This gave anyone within that range the ability to electronically interact with the child using the doll. My Friend Cayla would respond to user requests and questions using voice-recognition technology. The third-party voice recognition software, Nuance Communication, would convert voice into text, and then transmit these requests to Google Search, Wikipedia, and Weather Underground.

In all that is an important warning: that consumers, in profound ways, ought to be careful when evaluating the privacy and security of the internet-connected devices they bring into their homes. The Digital Standard, an open-source testing regimen created to evaluate these aspects of these devices, is one tool to help with that. The ratings magazine, Consumer Reports (which helped develop the Digital Standard), has used it to test a series of smart TVs for security vulnerabilities, like those that were found in CloudPets and My Friend Cayla. The goal is to provide consumers with information about the security and privacy of new products so that they can make safe buying decisions, and to encourage companies to follow best practices.

Or, to put it back in terms of toys, the next time you think about getting your grandchildren a teddy bear, you should be able to feel a bit more confident that your gift doesn’t unknowingly allow others to eavesdrop on the conversations you’re having in the privacy of your home.