Spying through connected toys: How far is too far?

Tech expert warns the British government to be careful about how much power it gives law enforcement to intercept communications through things like smart toys.

Wiretapping is an old law enforcement tool. But what about “toytapping,” listening in—or looking in—on people through their kids’ connected toys?

The UK government is looking at a new Investigatory Powers bill designed to give law enforcement more tools for stopping terrorism and other crimes. 

A tech expert advised lawmakers that they need to be very careful about where they draw the line regarding “equipment interference,” reported the BBC.

Antony Walker, of techUK, an organization representing hundreds of British tech companies, told the committee that the bill could potentially give toytapping power to law enforcement, bringing them right into children’s bedrooms.

“A range of devices that have been in the news recently, in relation to a hack, are children’s toys, that children can interact with,” Walker testified, according to the BBC. “In theory, the manufacturer of those products could be the subject of a warrant to enable equipment interference with those devices. So the potential extent, I think, is something that needs to be carefully considered.”

Government vs. bad guys

The debate continues about how far is too far for government interception powers, not just in the UK, but also in the U.S. But some cybersecurity experts say law enforcement should not be your only concern.

“While I certainly do not like the idea of government agencies watching me at home, I am much more concerned with private sector crooks using the same technology for nefarious purposes,” said Patrick Coyle of Chemical Facility Security News.

“How many pedophiles and sexual deviants will use this technology for personal gratification? How many bullies will use the information gained from these devices to torment new victims? How many burglars will use these techniques to find where our most valuable possessions are and when is the best time to break in and steal them?” he asked.

How far is the government planning to go?

One news headline at the site WeLiveSecurity read, “UK govt could access and use smart toys to spy on suspects.”

But Robert M. Lee of SANS Institute criticized the article as “click-bait.” 

“In the article, the government isn’t talking about using toys for spying, though. The article is a lot of fluff,” Lee said. “Far too much FUD (fear, uncertainty and doubt) with far too little facts and education.”

Brandon Workentin, with EnergySec, had another perspective.

“While the headline on the article sounds really scary, the point the witness at the UK governmental hearing was making was a valid point,” he said. “A lot of people, maybe even most, look at something like a toy that you can give voice commands to and say, ‘Cool.'” 

“It’s important to remember, though, that the more things you connect to the Internet, the more things that you have that could go wrong, and with Internet access, one of the ways things can go wrong is by allowing access to somebody you don’t want to allow access to,” added Workentin.

Time to look at what’s in your house

Whether you live in London, Los Angeles or Lagos, it may be time to take stock of the devices at your home or office.

“The internal UK regulatory matters aside, this article brings to light some of the potential consequences of the ‘Internet of Things’ (IoT), which is possibly one of the single greatest turning points in technology since the Internet has existed,” said an anonymous ex-CIA security expert. 

“Rather than just computers running operating systems, we now have a universe of devices connected to the Internet, each with their own unique capabilities and vulnerabilities,” he said.

He said TV sets, DVD players, streaming video boxes, video conferencing devices and many gadgets and toys come with the capability to be wireless connected to the Internet.  

“Every individual, and certainly every business, should consider putting together an inventory of connected (or potentially connected) devices and weigh the consequences involved,” he added. “For many devices it’s simply a matter of not allowing it to connect. For others, it may not be so straight-forward.”

The BBC said the committee working on the bill will continue to talk with people in the industry and other interested parties, and then introduce a revised bill to the parliament in 2016.