Originally published on Canadian Lawyer Online - IT Girl Column
Citing privacy and security concerns, on Feb. 17, the
Bundesnetzagentur, Germany's Federal Network Agency for
Electricity, Gas, Telecommunications, Post and Railway, announced
that it had banned a popular doll called My Friend Cayla and
decisively removed the product from the German marketplace.
Cayla is an interactive doll currently sold in Canada that connects
to the Internet via Bluetooth and can respond to a child's
questions in real time. Sounds innocent, right? However, critics
allege that the toy uses a hidden microphone to record and collect
the discussions with children without any meaningful limitations on
collection, use or disclosure of any personal information or
adequate data protection standards.
German laws currently stipulate that wireless devices with hidden
cameras or microphones are illegal. Following an investigation
spurred on by a complaint that the dolls were so insecure that
their Bluetooth connections (lacking a proper password) could be
hacked up to 10 metres away, the Bundesnetzagentur held that toys
such as Cayla that are capable of transmitting signals and that can
be used to record images or sounds without detection would be
prohibited in Germany to protect children, the most vulnerable
members of society.
The Bundesnetzagentur was particularly concerned that the toys
could be used as concealed surveillance devices and allow hackers
to exploit children. In a press release, the regulator noted that the
toy acted as "unauthorised wireless transmitting
equipment" as anything the child says or other people's
conversations can be recorded and transmitted without the
parents' knowledge. A company could also use the toy to
advertise directly to the child or their parents. Moreover, if the
manufacturer has not adequately protected the wireless connection
(such as Bluetooth), the toy can be used by anyone in the vicinity
to listen in on conversations undetected.
While the Bundesnetzagentur has held the dolls to be illegal in
Germany, it is not currently considering penalties against their
owners and indicated that it expects parents to "do the right
thing" and destroy them on their own volition.
While the Cayla doll is the first toy to be banned under the
Bundesnetzagentur's authority to enforce the ban on
surveillance devices, it may not be last since the regulator also
indicated it would be inspecting other interactive toys and
"if necessary, will take further action."
Cayla is manufactured in the United States and has been available
since 2014, but the doll came under scrutiny in 2015 when
U.K.-based security consultants Pen Test Partners discovered it was
possible to hack the doll and remotely control what it said.
Last year, more than 18 privacy groups filed complaints with the
U.S. Federal Trade Commission and the European Union about
connected toys like My Friend Cayla, claiming manufacturer Genesis
Toys and its speech recognition software partner Nuance violated
deceptive practices and privacy laws such as the U.S.
Children's Online Privacy Protection Act. For example, on Dec.
6, 2016, U.S.-based advocacy groups including the Electronic
Privacy Information Center, or EPIC, launched a complaint and
request for investigation with the FTC citing myriad privacy
concerns (including that the terms of service and privacy policy
for My Friend Cayla are confusing and hard to access, failure of
the manufacturers to adhere to adequate deletion and data detention
requirements and unfair failure to employ reasonable security
practices to prevent unauthorized Bluetooth connections). Concerns
were also raised that Genesis and Nuance were selling the data
collected from children and others to military, intelligence and
law enforcement agencies. The FTC complaint also noted that Cayla
was programmed to reference Disneyworld and Disney movies and as
this product placement was not disclosed prior to purchase parents
who bought the doll for their children were unaware that their
children were being subjected to product placement in their
conversations.
Perhaps even more spectacular than the Cayla ban, however, is the
most recent security failing that has come to light in connection
with CloudPets. These tremendously cute stuffed toys (teddy bears,
cats, elephants and the like) contain built-in microphones and
speakers and connect to the Internet via Bluetooth. The toy allows
family members to exchange voice messages between their children,
friends and relatives using an iOS or Android app on a tablet or
smartphone. Children could also record messages as a reply using
the toy via the app.
The audio files were stored in the cloud in a MongoDB
database.
The details around this story have been slowly emerging since late
December, but on Feb. 28, it was widely reported that Spiral Toys,
the company that made CloudPets, had mistakenly left more than
800,000 customer emails and passwords, access to profile pictures
and data that could help hackers retrieve more than two million
voice messages exchanged between children and their parents totally
unencrypted, without the protection of even a password or firewall,
since Christmas of last year. As the publication Motherboard later reported, there is further
evidence that at least two hackers tried to overwrite the MongoDB
database three times, took copies of the data, deleted the data on
the server and left a note demanding a ransomware payment for the
safe return of the data. The story broke when a security breach expert named Troy
Hunt (who maintains the HaveIbeenpwned website) received detailed
copies of the stolen records, along with screenshots depicting the
efforts of Good Samaritan Victor Gevers, who vainly tried to alert
the toy manufacturer several times, including directly through its
customer support portal and via its ISP starting on Dec. 31, 2016
about the gaping security holes but was thoroughly ignored.
The facts of this incident read like a textbook example of how a
company should not be managing its Internet of Things security or a
data breach. The CloudPets app had appalling password management
— users could create a password as short as one letter (the
company's own tutorial suggested "qwe" would be
perfectly adequate). Spiral Toys initially denied that any voice
recordings or other data had been stolen, claiming they only found
out about the security flaw on Feb. 22, which is unlikely given the
evidence. They initially also downplayed the seriousness of the
problem, calling it "minimal." But, finally, on Feb. 28,
the company sent California's attorney general a breach
notification as required under California privacy law.
Spiral Toys' response was not sufficient for U.S. Senator Bill
Nelson, who on March 7 sent a letter to the company's CEO Mark Meyers,
asking for clarification by March 23 on 10 questions relating to
the data breach, the toy maker's data existing collection
processes and security measures in place to protect against
intrusions, and whether its practices are compliant with COPPA to
adequately protect the confidentiality, security and integrity of
personal information collected from children. Nelson also wanted to
know whether the company discloses to customers that it collects
personal information, whether that data is shared or sold to third
parties and whether prior data breaches had occurred.
Clearly, many IoT manufacturers — particularly in the area of
"smart toys" — are still not getting the message
regarding the importance of privacy and security best practices and
how they need to be "baked in" to all stages of the
development and retail process. Perhaps more national bans and
regulatory scrutiny can help prod manufacturers down this path.
Until then, concerned parents may wish to limit their
children's use of these connected toys since they are not so
smart — just creepy. In the meantime, individuals with
CloudPets accounts should likely change their passwords immediately
(and use something stronger than "cloudpets" as some
users did previously) and, perhaps more drastically, disconnect the
toy from the Internet altogether.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.