Spy toys: A look at the dangers of data breaches in toys

Web-connected toys are a major part of the toy industry, as everything from tablets to dolls are all connected to the internet. But with this often comes dangerous outcomes, with various toy manufacturers suffering from security breaches and hacks. 

One of the most recent to hit headlines involves Spiral Toys’ CloudPets, which saw the items caught up in a personal data leak. 

Vulnerabilities were discovered in the plushies’ Bluetooth functionality, which could allow anyone to connect to the toy’s Bluetooth LE, upload a recording and then play it back. 

This was first uncovered by Paul Stone, principal researcher at Context, who found that even though the Bluetooth LE had a range of about 10-30 metres, anyone standing outside a house would be able to hack into the toy. 

“You have to be in fairly close proximity to the toy to connect to the toy, but someone sitting outside your house could probably connect to it,” Stone told ToyNews. 

“It’s disappointing, but not surprising that the manufacturer hasn’t secured it properly.”

Soon after an open database linking to more than two million voice recordings from the cuddly toys were found, which were even held to ransom by hackers. 

Stone continued: “Servers storing large amounts of personal data are targets for hackers who want to either sell the information or to ransom it (as happened to the CloudPets database). Hackers will always go for the easiest targets, they probably see toy companies as such.”

This is undoubtedly true, as there have been many cases in the past where toy firms have been targeted, including VTech’s Learning Lodge, while others including the My Friend Cayla Doll and Hello Barbie have been a cause for concern for owners. 

Security researchers previously revealed that Mattel’s Hello Barbie could steal personal information and turn the microphone into a surveillance device, however the toy giant has revealed that security is of the utmost importance when releasing toys. 

In a statement, Mattel said: “As a leader in the toy industry for more than 70 years, Mattel is committed to safety and security when bringing new products to market.

“Mattel and its partners take a number of steps to ensure all of our products conform with applicable laws and standards, including the Children’s Online Privacy Protection Act.”

Considering how simple it was for hackers to steal data from the CloudPets plushies, it’s clear that manufacturers need to put in place more security measures, not only to protect their consumers, but also their own name as a business in the toy space. 

Harbottle & Lewis’ Jeremy Morton believes firm’s who design web-connected toys should put in place a system that will help them deal with potential hacks.

“Every business handling significant personal data should put in place an action plan for dealing with data hacking or other data loss and its consequences. This includes a media plan and communication with customers,” Morton explained. 

“While companies falling victim to hacking can investigate and try to pursue hackers, this is not likely to be easy, and ultimately responsibility for security lies with the company itself.”

David Emm, principal security researcher from security firm Kaspersky Lab, concured, revealing that it is a manufacturers duty to ensure toys are safe to use, but advises that parents should be more vigilant when it comes to purchasing these types of toys. 

“It’s really important that, when considering such toys as gifts, parents look beyond the fun aspect of a toy and consider the impact it might have on their child and the wider family,” Emm added.

“However, there is also a role for the manufacturers of connected products and the security industry. We need to work together to ensure that strong protection and patch management is designed-in from the very start. Once a product is on the market, it is already too late.” 

We live in a connected world, but if toy firms and parents can work together to completely safeguard their children from malicious hackers, data breaches will no longer be a threat to today’s children enjoying playtime.

ToyNews also reached out to Spiral Toys to discuss its involvement with the data breach, and are yet to receive a response from the toy firm.

About Robert Hutchins

Robert Hutchins is the editor of Licensing.biz and ToyNews. Hutchins has worked his way up from Staff Writer to the position of Editor across the two titles, having spent almost eight years with both ToyNews and Licensing.biz, and what now seems like a lifetime surrounded by toys. You can contact him by emailing robert.hutchins@biz-media.co.uk or calling him on 0203 143 8780 You can even follow him on Twitter @RobGHutchins if ranting is your thing...

Check Also

John Whaite fronts brand-new audio baking collection from Yoto

Yoto, the audio platform for kids behind the critically acclaimed and award-winning Yoto Player and …