Blog: Internet Of Things

Our Friend Cayla: No Longer Welcome in Germany!

Mehmet Kadir 17 Feb 2017

Things haven’t been going so well for our friend Cayla, and it seems like that’s not going to change any time soon. The Federal Network Agency in Germany has now deemed Cayla to be a concealed transmitting device, and has called on parents to destroy any of the dolls in their possession. If it wasn’t heart-breaking enough to find out that your best friend could be spying on you, children will now wake up to find their best friend has gone missing. Oh the trauma!

It’s claimed that the basis of the ban is paragraph 90 of the Telecommunications Act, which deals with abuse of broadcasting or other telecommunications equipment. I’m not a lawyer, and I can’t read German, but I’ve had a look a translated version of paragraph 90 of the Act and it certainly raises some interesting questions. Of particular interest, is, can this same ruling be applied to similar devices that lack basic protections? Because, technically speaking, Cayla isn’t intended to be used as a “concealed transmitting device”, though it may be exploited to function as such due to its lack of security.

If the banning of the device is motivated by the fact that it’s security is so poor, then the implications of this could be quite significant. Anyone who has been following our blog over the years knows we’ve uncovered a plethora of devices that have weaknesses within them, many of which could allow an attacker full access to the device. Well, what’s to say those devices aren’t being used as “spy” devices also? They most certainly can, and in fact many have far greater network connectivity than Cayla, and can be used to intercept and reroute all kinds of interesting traffic from within a network. Although this may not conjure the same kind of emotional response as a children’s toy being hacked, it’s still a legitimate concern with widespread security implications at multiple levels — including at the state level.

I personally welcome anything that puts more of the responsibility on the securing of products on manufacturers. As consumers, we don’t expect that the fridges, coffee machines and dolls that we bring into our homes may be leaving us vulnerable to those with malicious intent. In this case, the ban means that someone, somewhere, is going to be losing money. If that can be used as a way to motivate manufacturers to push security higher on their agenda, then I’m all for it. Cayla is just one example of how a poorly (from a security perspective) implemented consumer product can have a direct impact on our privacy, but we shouldn’t forget all the other devices we bring into our homes which have the potential to cause just as much – if not more – damage.