Only the Grinch would tell you to take away one of your kid’s great new toys and return it, right? But in this case, the Grinch might have a point.
Cybercriminals the world over are always looking for new ways to break into banks, retailers, credit card processors and our homes. Never long on good cheer or sympatico, they now might be managing to exploit three of our most cherished institutions — family, the holidays, and children — in an especially despicable and heartless way: using toys with Internet connections to gain personal information.
Using connected devices to hack into home systems is nothing new. One especially well-executed such attack last year took advantage of cheap security cameras that were all shipped with the same default password. Those of you who haven’t been playing without a helmet for too long have probably taken some basic steps to secure your home ecosystems.
You’ve updated and strengthened your passwords, installed security software, and you regularly monitor your accounts for suspicious activity. You’ve been doing some reading and know that even lighting systems and security cameras are avenues of attack for the bad guys, and you make sure that those come with the proper protections.
What you probably didn’t think about is that cuddly doll your four year old has conversations with. You know, the one with that impossibly rich vocabulary and an immense fount of knowledge? How, you wonder, can they cram all of that into such a little package?
They can’t. The cute little bugger is Bluetoothing everything your child says to your smart phone and then to a server farm in God knows where, and it’s all being done over the open Internet.
Do you remember securing the thing with a password when you set it up? No? Then nothing’s stopping the bad guys from using Mr. Fuzzy Wuzzy to find out a lot more about you than you want them to know, and they can do it just by asking your kid.
This isn’t speculative paranoia. An interactive doll from Genesis Toys called "My Friend Cayla" has been banned by the German government because it contains an "illegal surveillance device," namely a Bluetooth-connected microphone that transmits a child’s voice to Nuance, a third-party voice recognition company.
In the U.S., several consumer protection groups banded together to file a complaint with the FTC about not only Cayla but an "intelligent robot" named i-Que also manufactured by Genesis Toys. Seems that Cayla not only has conversations with kids, but asks them for such information as their parents’ names, what schools they go to, and where they live.
If you stitch together several layers of disclosure documents published separately by Genesis and Nuance, it turns out that audio file and associated text transcriptions of your kid talking to Cayla could be sold to military, intelligence, and law enforcement agencies.
Better hope that your kid’s voice and speech patterns don’t happen to match those of a serial killer being chased by the FBI or a terrorist being hunted by the Department of Homeland Security (DHS).
While that might seem unlikely, consider this: As of last year, neither Cayla nor the i-Que robot required an authentication procedure like the ones normally used to pair devices. Any Bluetooth-enabled smart phone or tablet within 50 feet could start communicating with the toys instantly, even if their companion apps aren’t installed, because Cayla and the robot look like ordinary hands-free headsets to those mobile devices.
And it got worse: Anyone who called one of those automatically-paired phones from another phone could converse with the child through the toy. Hackers could also program the dolls to bypass protections against the use of inappropriate language, or to spew whatever filth the hacker felt like spewing. At the behest of The Mirror, a security professional had Cayla quote Hannibal Lecter and recite lines from "Fifty Shades of Grey."
The manufacturer insists that vulnerabilities have been corrected in both toys. (Genesis also makes another easily hacked interactive toy, a talking parrot called the Teksta Toucan.) I hope that’s true, but consider the foregoing as object lessons that might apply to other connected toys.
If there are no authentication procedures or opportunities to enter passwords, or if a little on-line searching shows concern being expressed by consumer watchdog groups and agencies, seriously consider avoiding those gadgets — however cute or clever.
Lee Gruenfeld is a managing partner of Cholawsky and Gruenfeld Advisory, as well as a principal with the TechPar Group in New York, a boutique consulting firm consisting exclusively of former C-level executives and "Big Four" partners. He was vice president of strategic initiatives for Support.com, senior vice president and general manager of a SaaS division he created for a technology company in Las Vegas, national head of professional services for computing pioneer Tymshare, and a partner in the management consulting practice of Deloitte in New York and Los Angeles. Lee is also the award-winning author of fourteen critically-acclaimed, best-selling works of fiction and non-fiction. For more of his reports — Click Here Now.
© 2023 Newsmax. All rights reserved.