Tech gifts are awesome. As an engineer, I love getting new gadgets and gizmos to play with, break, and eventually fix. But if someone gets me some mundane object that is internet connected, I’m going to lose my shit.
Its a cool concept, instead of a regular bathroom scale, its a machine-learning bathroom scale. It seems appealing to the masses, but to security engineers, they are a total nightmare. I’ve written about IoT security issues before. A couple of times actually.
This post isn’t going to be a tirade against IoT, just a reminder that devices are more insecure than ever, and getting your children IoT devices is a bad idea. There are plenty of safe and responsible ways for kids to browse the internet, and a multitude of ways that technology can enrich their childhood, but putting a toy that has a camera and microphone in their hands to be used 24/7 is terrifying to security engineers. Internet connected toys have no security standards whatsoever. An attacker doesn’t care that its a kids toy. To them, coming from the infrastructure, its just another computer.
The FBI put out a warning about buying internet connected toys and gadgets for minors. “These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities… These features could put the privacy and safety of children at risk.”
Even if the devices themselves are not vulnerable, corporations care very little about securing your data. A line of IoT teddy bears called CloudPets left terabytes of messages recorded by children exposed in an unsecured online database, along with 800,000 usernames and passwords. A Norwegian consumer council found that specific kid-focused smartwatches are extremely insecure, allowing external agents to track the movements of the wearer and even communicate with them through the speaker.
Not every IoT device is vulnerable, but the industry has a very long way to go to secure their devices.