This post comes from Ed Skoudis, a member of the RSA Conference Advisory Board
Remember the Island of Misfit Toys from the enduring holiday classic, Rudolph the Red-Nosed Reindeer? Outcast toys just woefully waiting around for Santa to aid them, hoping to find a suitable home so that they could leave their tear-stained island. Well, those toys wouldn’t have the same problems today—they could be proactive, tweeting their availability, putting up an ad on Craigslist, sending emails to prospective homes, and much more. Well, maybe they couldn’t do all of that just yet, but it’s not so far-fetched, thanks to the burgeoning Internet of Toys.
The umbrella under which the Internet of Toys falls is better known as the Internet of Things – something that has been gaining attention exponentially in the last few years. From refrigerators to cars, and even insulin pumps, more and more objects are being connected to the Internet. According to Gartner, there are already approximately 10 billion devices permanently connected to the Internet, with an added 50 to 60 billion devices attaching intermittently. Think about the magnitude of those numbers. The Internet of Things has indeed arrived, and those numbers are expected to rise massively.
The toy industry alone is enormous, but it also makes up a large portion of products being infused with Internet access. On the one hand, it’s an exciting development—it allows toys to transform and adapt based on their interactions with children, creating more engaging play. Some interactive toys even attempt to fill the gaps and encourage STEM-based learning. But, the techno gee-whiz factors that make these toys seem wonderful are often aspects that can usher in the opportunity for children to be prey.
Take a toy’s microphone, for example. It allows child and toy to communicate, but it’s not confined to just them. A malicious hacker could get in and hijack control of the microphone, and have the ability to converse and listen in on your child. Or consider a webcam—except, then, the bad guy can see inside your home. We’ve seen it repeatedly in the news with nanny cams being hacked and the same principles apply to these connected camera-enabled toys. What’s more, some of the toys beacon wirelessly on a regular basis, a feature that could allow for tracking a child’s location.
So what can you do? Make sure you’re instilling general cybersafety tactics in your kids, for one. Choose good passwords, don’t respond to unsolicited emails, and so forth. Secondly, be mindful and aware. If a toy comes with generic login information to begin setting it up, make sure to change the username/password to something secure. And also make sure your Wi-fi is password protected!
Even before purchase, look at the packaging or online description and reviews to find out what the toy offers. Does the toy track location? Are there cloud capabilities for downloading or for controlling the toy remotely from a mobile phone or tablet? Is there a microphone or a webcam, and if so, is there the opportunity to take the toy offline?
Of course, keep in mind that many of these threats are speculative at this point. Being mindful doesn’t hurt, though, especially since the simple act of a toy being connected to the Internet opens up some interesting attack vectors at the same time it brings in new avenues of play.
-Ed Skoudis, a member of the RSA Conference Advisory Board