If you’re going to get one, you may want to take it apart, a cybersecurity expert says.
The hot word in kids’ toys this year is “interactive.”
Your child gets to “grow” a robotic penguin, or launch a NERF drone with surveillance camera to view his or her target before pummeling it with foam darts.
But more and more, “interactive” may also mean “connected,” and cybersecurity experts warn that smart things may not be the smartest gift this year.
These smart things make up the Internet of Things, or IoT—devices like your home security cameras, Wi-Fi-enabled washer and dryer, and smart TV that connect to the Internet.
“The biggest concern is that there are tons of Internet of Things devices out there, and they’re very insecure,” said Lesley Carhart, a Chicago-based digital forensics expert.
Carhart urges people to take a look at the risks before they buy each other connected things for Christmas 2016—and encourages people with tech skills to investigate them if they end up under the tree.
“If your kid gets an interconnected Barbie, you should probably be taking it apart to see what it does,” Carhart told the audience at a cybersecurity conference in Jackson, Mississippi on Saturday.
Find a security flaw, and you could protect your family—and the rest of the world—from attack.
The risks
That connected toy could bring unwanted visitors into your home.
Last year, the new Hello Barbie promised to let kids hold conversations with the iconic doll, who could answer back with one of 8,000 responses, based on what your child says.
But in November and December of 2015, researchers reported security flaws that allowed attackers in. Some privacy advocates labeled it the Hell No Barbie.
“You can take that information and find out a person’s house or business. It’s just a matter of time until we are able to replace their servers with ours and have her say anything we want,” security researcher Matt Jakubowski told NBC, according to The Guardian.
Hello Barbie earned a new name from some privacy advocates: Hell No Barbie, and online commenters posted images like this one. The toy’s maker said children’s recorded conversations with Hello Barbie are protected. Photo credit: Mike Licht, NotionsCapital.com via Foter.com/ CC BY
Holiday frenzy
The toy’s maker said it fixed Hello Barbie’s security errors, but experts say there is a flood of inexpensive, insecure smart devices heading your way this year.
“People want Internet of Things devices,” Carhart said to Archer News. “They’re really fun to have. That refrigerator that tells you when your milk expires—gee, that’s really handy!”
But people want to buy them at low prices, she said.
“There is a big market right now popping up and they need to be made cheaply and quickly,” Carhart said. “And the corners that are cut are usually security.”
In addition, some companies developing the connected products are forging into new territory.
“Nobody has ever made devices like that before,” she added. “So there’s no precedent for building security into those devices.”
More than hackable toys
The risks are not just hackable toys and baby monitors that allow attackers to watch and speak to your child in bed.
A research team found that they could infect one connected light bulb with a digital worm that then spreads to other bulbs. They could fly a drone and take over the bulbs, making them flash “S-O-S” in Morse code, Forbes reported.
“The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDoS attack,” the researchers said in their report.
Researchers said they were able to infect Philips Hue smart bulbs with a spreading digital worm. Photo credit: ursonate via Foter.com / CC BY
“Mass quantity”
Your smart devices can also help take down the Internet, or at least parts of it.
Attackers using your connected devices as zombies in their botnet knocked out access to Twitter, Amazon, Netflix and other big sites on October 21.
Researchers point to digital video recorders and other connected devices with weak security, like default passwords left in place, in that attack.
“We saw large websites that you would normally presume would be not vulnerable to an attack taken down,” Carhart said. “The problem is the mass quantity of those devices and the tremendous vulnerability of them being built cheaply and quickly.”
Twitter users reported problems with accessing the site during the October 21 Internet attack.
Wish list
Odds are, someone on your gift list will want something connected. What should you do?
“People are going to want to buy these things,” Carhart said. “The kids’ toys that can connect out to the Internet and interact with them and do cool things that have never been seen before—that’s amazing.”
“And in terms of home security, it’s great to be able to turn on and off your lights and check your cameras from your smartphone wherever you are in the world,” she added.
Image of a smart refrigerator on display at the 2016 Consumer Electronics Show. Photo credit: ETC-USC via Foter.com / CC BY
Before you buy
But before you buy, Carhart recommends that you think about what bad guys can do with that device.
For example, if it’s a baby monitor, they may be able to watch and speak to your child. If it’s a connected refrigerator, they may be able to destroy your food, and even take over your entire network.
Also, she said, check to see if the device has any security certifications.
Plus, going for the lowest price may also give you low security, according to Carhart.
“Give some thought at not just buying the cheapest product, but spending the money to buy one that was built responsibility with security in mind. Because as long as there’s a market for cheap devices that have no security, that market will continue to grow,” she explained.
Check it out
Customer reviews will sometimes show if a smart device is glitch-prone or problematic.
Internet searches can show if researchers have already found vulnerabilities.
Still, some consumer experts suggest holding off on buying the newest smart toys.
“And if you can wait, it may be better to hold off until they get the kinks out—which is typically your best bet with new technology anyway,” wrote Alex Thomas Sadler in her review of Hello Barbie on Clark.com.
Customers discussed problems with the Furby Connect in their Amazon reviews.
Got skills?
If you have tech skills and/or curiosity, Carhart suggests you turn your energy toward these hackable holiday presents.
“Do you really want your aunt to get something for Christmas that’s really being used as a spy device?” she asked the group of attendees at the BSides Jackson cybersecurity conference.*
“If you’re going to buy that toy that connects to the Internet, take it apart. Figure out how it works. Figure out how it could be abused,” she explained to Archer News.
Then, share your findings in a responsible way, Carhart said.
“We need all the help we can get. There are more devices out there that are connected to the Internet than there are security researchers by far,” she said.
Maybe next year
People on Carhart’s gift list may not get exactly what they want this year.
“I am not planning on giving any IoT devices this Christmas because I feel like, at this point, for Christmas 2016, there isn’t time to properly secure the devices that are out there,” Carhart said.
“Now in 2017 maybe I’ll give out some IoT devices that I have felt are adequately vetted, but I don’t think that there’s time in the next month-and-a-half to thoroughly vet and secure the devices that are already out there for sale.”
*Archer News’ parent company, Archer Security Group, gave financial support to the BSides Jackson cybersecurity conference.