Blog: Internet Of Things

No Genesis Toys, My Friend Cayla can be hacked even if you do follow the instructions!

Ken Munro 06 Mar 2017

I was bemused by the response from Genesis Toys’ distributor Vivid to the ban by the German telecommunications regulator a couple of weeks back. They were quoted by Sky News as follows:

“Vivid GmbH said it was taking the allegations about My Friend Cayla “very seriously” and would challenge the sale ban in court.

“She is not an espionage device and can be used safely in every respect according to the user manual,” said the German company in a statement.

I don’t think that’s the case:

Having thrown away the box and instructions to Cayla over a year ago, I went and bought one new. Not an easy task, given so many retailers have de-listed her already, but eBay came up trumps. Rather ironically, the doll that arrived was boxed for the German market!

Out came the instructions – here’s a copy. Now remember there is NO PAIRING security with the doll. Hence, when the legitimate user moves out of Bluetooth range of the doll, any other device can connect to her.

I’ve highlighted their ‘tip’: “Remember to switch Cayla off after use to conserve battery power” – I don’t know about you, but my kids continually forget to switch off battery powered devices whilst playing with them. It also doesn’t cover the child walking off and coming back to the doll. Nor does it cover the kids phone or tablet running out of charge. They hadn’t finished playing with Cayla, but she is now in a vulnerable state.

Should that ‘tip’ be re-written: “Never leave your child unattended whilst playing with Cayla, as you could expose your child to malicious third parties if you do. That’s because we didn’t make the pairing process secure”

Just to prove the point, I made a quick video, showing how Cayla is happily telling the child a story, then the child goes out of Bluetooth range & we get some fairly offensive tunes playing on her instead.

That’s pretty tame, compared to what a less pleasant attacker might want to do.

So, Genesis Toys and Vivid Imaginations, My Friend Cayla CAN be hacked, even if one follows the instructions.