Blog: Internet Of Things

MyFriendCayla banned. Are all listening Bluetooth devices set for the bin?

Ken Munro 21 Feb 2017

Following the German banning of the US company Genesis Toys’ My Friend Cayla (Distributed by Vivid Imaginations in the UK) we thought it would be timely, and maybe helpful, to look at other similar devices which could fall foul of the same fate.

In essence the legislation (paragraph 90 of the Telecommunications Act, which deals with abuse of broadcasting or other telecommunications equipment) enables the ban because Cayla can be construed as a “concealed transmitting device”. We have our own view on this, but that is by the by.

Is Cayla alone?

Anyway, here’s some other devices that share similarities with Cayla, in that they use Bluetooth connectivity to allow a mobile device to interact with the toy/device, and the toy/device potentially has listening functionality. We haven’t tested all these devices yet, just the ones from Genesis. But based on their specs and details in the company’s FAQ, they look like likely candidates, ripe for further research.

i-Que. This toy is made by Genesis and has the same lack of pairing security as Cayla, so is vulnerable to the same issues. It was also part of the BEUC complaint late last year.

My Friend Teddy. Besides being really irritating, he is also made by Genesis. You guessed it; no pairing security either, so just as vulnerable as Cayla.

Zambu, Bunga and Kumki. Made by Avanti Toys, this is how pairing security SHOULD be done: The power button has to be pressed for several seconds to make the toy enter pairing mode. Whilst the PIN  is always ‘0000’ – if the toy isn’t in pairing mode, you can’t pair. It could be done better, as one could potentially intercept the pairing process, but this is a shed load better than Cayla.

Bluebee Pals. It’s harder to figure out the pairing process, but it’s detailed on their homepage. There’s no pairing PIN and the toy appears to be in pairing mode when it’s first turned on for two minutes. Not as bad as Cayla, but not great.

Pebli Town. Like Kumki, a pairing button has to be pressed. Definitely way more secure than Cayla, but still opens up potential opportunities for rogue connections. Ideally, each Pebli board would have a unique pairing PIN.

Hello Barbie AND Barbie Hello Dreamhouse. These two may have issues all their own, with Wi-Fi rather than Bluetooth though according to this Guardian report.

Disney Marvel Avengers. The instructions make no mention of pairing security, so one assumes the worst; that it’s always in pairing mode and has no pairing PIN. We can’t see evidence of a microphone, but it has a speaker that rogue audio could be played back on.

More than toys

OK, so that’s a few toys we found, but what about other devices. What about the Senstone, note-taking dictation device on Kickstarter? What about voice activated smartwatches, or ones with voice calling functionality. Where does it leave the listening TV that we reported on back in 2015?

…and what about the coming raft of IoT devices which will integrate listening technologies and be paired with mobile devices?

Germany may have set an extremely tricky precedent for itself, and one which could create the need for far tighter and far more explicit legislation- specific to connected devices.