Have yourself a secure and connected Christmas

It’s that time of year again…

Parents and family members around the globe are scouring the high streets and the web for the perfect child-friendly gifts.

And as the world becomes more connected, it’s no surprise that many of this season’s must-have kids’ toys are boasting connectivity features such as Wi-Fi and Bluetooth.

But it’s important to highlight the potential security risks that this connectivity poses before they become a problem.

This is why our research team came together with leading independent consumer body Which? to identify and test seven of the most popular connected children’s toys on the market.

Through in-depth testing of the toys’ hardware, associated mobile applications and websites, infrastructure and privacy policies, the team discovered 20 security and privacy issues.

While overall, most of the toys tested presented a minimal direct attack surface, the team did discover that three of the toys tested lacked Bluetooth authentication, which could potentially allow strangers to communicate with a child using the device.

As well as this, issues were also identified in the online applications associated with most of the toys, which included plain text website logins, username or email address enumeration, and weak password and online privacy policies. If compromised, this could put personal data at risk.

These issues are something which the Department for Digital, Culture, Media and Sports (DCMS) hoped to address when the Code of Practice for Consumer IoT Security was introduced in 2018. While positive changes are being made, there is still a way to go to ensure that connected products are secure by design, and that device users stay secure in this digital world.

Guidance for parents and guardians

While the onus should never fully lie with parents or guardians, there are several steps that can be followed to ensure that a child is using connected toys safely and securely. This includes:

Checking the product literature

While it’s up to the toy manufacturer to clearly communicate the security and privacy measures that are in place, it’s good practice to read the product literature if available. If in any doubt, it might be worth reconsidering the purchase.

Supervising children when using connected toys

It’s important to supervise children when using connected toys, wherever possible. This could also include setting up any online accounts with secure passwords, or supervising children when they’re using any chat forums associated with the toys.

Powering-down devices when not in use

To mitigate the risk of security issues such as unauthorised Bluetooth authentication, children should be encouraged to turn off devices when not in use, as powered-down devices cannot be exploited. If the child is too young to remember or perform this, parents should try to ensure that toys are powered down when they’re not being played with.

So, this Christmas, we’re asking for just two things…

1.We want manufacturers to implement important security measures from the outset and commit to the DCMS Code of Practice for Consumer IoT Security.

2.We want parents to be better educated so they can choose the best and most secure toys for their children.

If you’d like to find out more about this research and our key recommendations, head over to our technical blog.