The internet of toys, and why we’re holding back this Xmas

We’re continuing our research into potential attack vectors, to see what may be coming in the near future, and have found a whole bunch of gizmos that appear at first glance to have minimal security built in, even though they’re designed for your nearest and dearest. Kids toys.

Typically, connected toys are enabled with Bluetooth or WiFi, via a mobile handset or tablet, and rely on a mobile app to operate them. A few are more social media orientated and operate in a similar way to the messaging apps WhatsApp and Snapchat.

Whatever the functionality or the intended use, we’re puzzled at the utter lack of any security advice (bar one, which is flaky at best), or even any documentation about the permissions the apps will demand.

Anyway, here’s a rundown on a few of the more interesting ones. Put these on your Xmas list if you fancy some interesting security research:

My Friend Cayla. For the moment we’ll leave this to one side as we’ll have a specific write-up on it in the New Year, which I’m pretty sure will be a stunning read.

Scalextric ARC (App Race Control). Now this promises to post race results to Facebook and Twitter so we’re guessing the permissions are likely to be a bit messy. Many, if not most apps that need social media permissions also ask for contacts and location stuff, whether they’re essential or not. It’s a constant development issue where no-one checks properly, and one that opens up the attack surface of a device considerably.

Bandai Tech Pet Puppy. This little rascal turns your phone into a Tamagotchi sort of a thing, which intriguingly promises to allow multiple devices to be connected.
…and we know how that usually pans out in the world of hacking.

The DynePod from Dynepic is an interesting idea, but won’t be available until summer 2015. One thing it can do is alert fellow DynePod owners that you are in range, so a kind of homing beacon which could be used for evil. They do say that safety is a concern but don’t say how this is handled.

Adult internet toys

So that’s a few kids toys, what about adult toys I hear you ask? Well we’ve got those covered too you’ll be pleased to know. Apparently “cyberdildonics” are set to be the next big thing in sex toys, allowing you to share “sensations” across the internet *cringe*, and there is no shortage of products from various manufacturers, and even a social media site where you can get some random who you’ll probably never meet to “drive” your sex toy for you.

If an attacker could intercept the devices communications they could portray their victim as a monumentally inept in the stimulation department, which would be hilarious and tragic in equal measure.

We have some early research in to one of these that indicates that video of rather personal interaction with sex toy is stored in weakly protected removable storage. Oh dear. Naked selfie videos anyone?

So, there’s a timely toy round up, of things that we don’t recommend.