It started when hackers made a doll swear; now, consumer advocacy groups across Europe and the U.S. are complaining to regulators that Internet-connected talking playthings, including the interactive My Friend Cayla doll and the i-Que robotic toy, lack cybersecurity to the extent that they expose children to potential harms ranging from verbal assault to data theft to abuse of recordings of their voices.
Cayla and i-Que use a combination of microphones, Internet-based speech recognition, apps, and wireless connections that enable them to converse with children, but which also leave them open to attack and misuse, the consumer groups allege.
The Brussels-based Bureau Européen des Union des Consommateurs (BEUC) has spearheaded a campaign across Europe, sending letters to three European Commission (EC) chiefs, as well as to the head of data protection in France and to the president of an international consumer protection agency, exposing the products’ flaws. Several advocacy groups in the U.S. have filed similar misgivings with the Federal Trade Commission (FTC).
“The Internet-connected toys ‘My Friend Cayla’ and ‘i-Que’ fail miserably when it comes to safeguarding basic consumer rights, security, and privacy,” said BEUC, which serves as an umbrella organization to national consumer bodies from European countries. It criticized Cayla and i-Que on several fronts, most notably a “lack of safety” rooted in the ease with which “anyone can take control of the toys, which can talk and record conversations, through a mobile phone.”
Both Cayla and i-Que connect via Bluetooth to smartphones or tablets that include an app which sends a child's spoken question via Wi-Fi to the Internet, where a remote server interprets the voice. That triggers a Web search for answers via Google, Wikipedia, and Weather Underground, which are sent back to the toy to verbalize to the child.
BEUC based its concerns on findings by the Norwegian Consumer Council (NCC), a BEUC member. The Norwegian group has lodged complaints with three Norwegian government agencies, implicating four companies: Genesis Toys of Los Angeles, which makes Cayla and i-Que; Nuance Communications of Burlington, MA, which provides speech recognition and stores voice recordings; ToyQuest of Los Angeles, which makes the app; and Vivid Imaginations of Guildford, England, which distributes i-Que in Europe. (NCC also looked into possible security flaws in Mattel's connected Hello Barbie doll, but did not file any complaints related to Barbie, which uses different Internet of Things (IoT) technology than Cayla and i-Que).
Finn Myrstad, head of the Council's digital services and electricity division, told CACM Cayla and i-Que both feature non-password-protected wireless connections, allowing anyone—not just those equipped with hacking skills—into the system.
“If anyone can connect with a mobile phone, that's not good,” Myrstad said. “You can use it to eavesdrop, you can use it to manipulate, and all kinds of things.”
A technical report on NCC's website further explained:
“Cayla and i-QUE use no security measures when pairing to the phone/tablet. As long as the toys are turned on, and not connected to another device, they can be found and connected to by other Bluetooth devices. We also tested if the toys were discoverable only during a short time span after being turned on, but leaving the toys on for 30 minutes showed that they were still discoverable. Their names when searching for Bluetooth devices are "Top Toy Cayla" and "IQUE," making them easily recognizable. The phones/tablets thinks the toys are hands-free headsets, so no apps are needed to connect to the toys.”
The report also found intruders can use the dolls as recording devices, and that questions sent to Weather Underground were unencrypted, thus “making it easy for a man-in-the-middle to read the data.”
CACM sent requests for comment to all four companies singled out by NCC; none responded.
Alarm bells first rang nearly two years ago, when British cybersecurity consultants Pen Test Partners coaxed Cayla into swearing.
“You can do some creepy things on kids,” Pen Test founder Ken Munro told CACM, recounting how his team was able to easily access and alter Cayla's vocabulary. “She would say anything we wanted.” On one occasion, in January 2015, Cayla blurted out, “Hey, calm down or I'll kick the shit out of you,” Munro said.
Pen Test, which promotes itself as a team of “ethical hackers” who expose cyber weaknesses that companies need to repair, alerted the toy's maker, Genesis Toys. According to Munro, Genesis then encrypted the database of the doll's phrases, but that turned out to be an ineffective patch because it was easy to decrypt, as Pen Test demonstrated when it had Cayla cursing again by November 2015.
NCC’s Myrstad said the product should not be on the market in its current from. “The company was notified in January 2015, and they are still selling it for Christmas sales in 2016 with no improvement on the security,” he noted. “From our point of view, that makes it worse.”
Myrstad and BEUC identified several other threats posed by lax security and data policies on Cayla and i-Que, both of which are capable of recording children's conversations with them.
For example, BEUC alleged that “kids’ secrets are shared” because Nuance gets a record of “anything the child tells the doll,” and that the company “reserves the right to use this information with other third parties, and for a wide variety of purposes.”
Myrstad also pointed out that Genesis' terms and conditions stipulate that voice data policy is handled by Nuance. Richard Mack, Nuance vice president of corporate communications and marketing, responded in a post on the company’s What’s Next blog that Nuance’s policy “is that we don’t use or sell voice data for marketing or advertising purposes. …Nuance does not share voice data collected from or on behalf of any of our customers with any of our other customers.”
“We have made and will continue to make data privacy a priority.”
Another concern: data can be stored for a long time, and can be used for marketing and product placement purposes. “The toys are embedded with pre-programmed phrases, where they endorse different commercial products,” BEUC said. “For example, Cayla will happily talk about how much she loves different Disney movies; meanwhile, the app-provider also has a commercial relationship with Disney.”
BEUC also claimed the two products come with what it called “illegal terms,” noting, “Before using the toy, users must consent to the terms being changed without notice, that personal data can be used for targeted advertising, and that information may be shared with unnamed third parties. This and other discoveries are, in consumer organizations’ opinion, in breach of the EU Unfair Contract Terms Directive, EU Data Protection Directive, and raises serious doubts about toy safety protection.”
Myrstad said the collaborative nature of IoT products compounds the problem of accountability. An IoT product or service typically involves many different technology vendors, such as the four implicated with relation to Cayla and i-Que. While Nuance holds the voice data, the other parties might also have responsibility in the event of a breach.
“What should the consumer do when there is such a wide variety of actors involved?” asked Myrstad. “This is a challenge with the Internet of Things, where you buy a physical product, but where there's also a digital component through an app where there are loads of third party providers involved. What do you do when something goes wrong, or data is being collected inadvertently? Who do you hold responsible?”
The problem might only get worse, based on the work by Munro's Pen Test, which has found that IoT things in general can be open for attack.
At the LuxLive 2016 lighting exhibition in London in November, Munro demonstrated a live hack of an Internet-connected electric tea kettle. He claimed such kettles and many other domestic IoT items (such as lighting) typically require downloadable apps that are easy to access and reverse-engineer—a process which then reveals key information, such as IP addresses and passwords.
Those hazards came even more into focus a few weeks later, with the filings by BEUC and others.
“Children are especially vulnerable, and are entitled to products and services that safeguard their rights to security and privacy,” said BEUC director general Monique Goyens. “As long as manufacturers are not willing to take these issues seriously, it is clear that this type of connected product is not suitable for children. As an increasing number of manufacturers and providers move into the digital field, they must be careful with the security and privacy risks that the digital world opens up.”
BEUC has sent letters to EC director-general of Justice and Consumers Tiina Astola and director-general of Internal Market, Industry, Entrepreneurship, and SMEs Lowri Evans; to EC Independent Data Protection Supervisor Giovanni Buttarelli; to International Consumer and Protection Enforcement Network (ICPEN) president Gerd Billen; and to Isabelle Falque-Pierrotin, president of Frances' data regulator the National Commission on Informatics and Liberty (CNIL).
In the U.S., organizations including the Electronic Privacy Information Center (EPIC), the Campaign for a Commercial Free Childhood, and the Center for Digital Democracy have complained to the FTC, alleging among other things violations of the Children's Online Privacy Protection Act (COPPA).
As the regulators review their cases, consumer groups including Pen Test will continue to take up the cause. While NCC complained specifically about Cayla and i-Que, it also raised concerns in its reports over the even more popular Barbie – although it did not formally lodge any objections to the iconic Mattel toy. One of the latest versions of Cayla—My Friend Cayla Party Time—might start waxing on about whiskey if Pen Test succeeds in tampering with the accessories that prompt her to talk about what she's holding in her hand; Pen Test is trying to convince her she's clutching a tumbler rather than a hairbrush. Pen Test—the name stands for Penetration Testing—is also attempting to hack the new, sold-out robotic toy Anki Cozmo, so far to no avail.
Advice to parents still shopping for presents: maybe it's time for the kids to just play outside again.
Mark Halper is a freelance journalist based near Bristol, England. He covers everything from media moguls to subatomic particles.
No entries found