Security flaws in a doll sparks concern over Smart Toys

Researchers at QUB’s Centre for Secure Information Technologies (CSIT) have been researching the security of smart toys.

“The My Princess Cayla Doll is hard to come by now, because its security flaws have been publicised across the globe,” says lecturer Dr Ciara Rafferty from CSIT.

Ciara is an expert in fully homomorphic encryption – an important technique to enable computing on encrypted data.

As a project in hardware security, Ciara oversaw the work of an intern who effectively tried to “break into the doll.” The doll comes with embedded speaker, microphone and Bluetooth connectivity, enabling it to connect to the internet via a tethered smartphone and app.

She explains: “His project was intended to last for eight weeks, but he did it in three days – because there was so little security, it was very easy to exploit.”

What sort of hacking?

Ciara says, “You can access the app and rewrite the stories that the doll tells, so it will recount any text that you type in. The doll’s Bluetooth connection can be exploited, and on top of that, the app is insecure.”

The doll gained so much notoriety, the German government actually “classified it as a concealed espionage device, because it can listen to you or your kids,” she says.

German parents were instructed to destroy the doll, reports the BBC.

The real fear here is not that a Cayla doll will infiltrate your home, but that any kids’ toy with connectivity could be vulnerable. Do toy manufacturers have the ability to put potentially expensive security features in inexpensive dolls, robots and other toys?

Ciara says, “A report by the Children’s Commissioner in England discussed who sees the data you put online about your children. The amount of data people are posting about their children, through Facebook or Instagram for instance, can be staggering. Teachers also need to be retrained on this topic.”

“Which? Magazine posted tips for parents about smart toys.”

Overall, do you think IoT devices are making kids smarter?

“You don’t want to scare people. I think anything to interest and encourage children to interact is a good thing. Working in technology, you can teach kids from an early age how to use it safely – because you can’t avoid technology,” Ciara concludes.

***

When she’s not hacking smart toys, Ciara’s research in homomorphic encryption is breaking other sorts of ground.

“It’s fascinating to see how homomorphic encryption can be used in data analytics, fin-tech for instance. There are untrusted cloud service providers who store sensitive information in the cloud. This will enable encrypted analysis in the cloud – it will be a killer app,” she explains.

Ciara’s team came up with a hardware solution that was “105 times faster than the software version.”

I remark that it sounds like a good investment area, and Ciara notes a use case where this could help.

“If you consider the online DNA and genome testing services that are being advertised in the mass media now – how is that data being held in the cloud? It’s not like giving away what your favourite colour is – these providers hold your actual DNA, the very information that describes you.”

But, she notes, there are risks with sharing such personal data. “If fully homomorphic encryption could be used in this instance, a user could upload encrypted data to the cloud, take advantage of the cloud computations, and download results, without revealing sensitive information to the cloud service provider. However, we still need to further research homomorphic encryption schemes to enable sufficient performance for real world use cases.”

Ciara says there are many solutions, either using homomorphic encryption to compute on data without decrypting it, identity-based encryption or access control based methods.

Information for parents – government tips on smart toys can be found here.