It turns out, we were right; we just were looking at the wrong toys. In a recent article on Softpedia, Gabriela “Gaby” Vatu provides confirmation of what we have believed would happen with the continuing emergence of IoT. Effectively, internet-connected devices can collect vast troves of our data and become easily compromised, resulting in privacy and legal issues.

Like it or not, the Internet of Things (IoT) is happening. Ceiling fans, thermostats, coffee makers, refrigerators, and light bulbs are all finding their way to the Web. The world is undoubtedly becoming more connected, bringing with it an estimated 200 billion connected objects by —or nearly 26 connected objects for every human on Earth—with an estimated value ranging between 14 and 19 trillion dollars across the global economy.child privacy

Unfortunately, there will be many instances where that human with the 26 connected devices is a child. What happens then? What happens when that connected object isn’t something like a light switch, but instead is a toy that the child is interacting with? We must have a way to protect children, but allow for the modernization and future of play.

Protecting Children from IoT

The safety and privacy of connected toys will warrant much effort from manufacturers and parents alike. Nanny cams have already been hacked, and the latest details on CloudPets is only one of many breaches in IoT security to come.

As the Softpedia article alluded, “IoT devices, as a whole, have serious security problems and have been hacked countless times.” In order to address the concerns of parents, et al., manufacturers must begin to build in mechanisms to update firmware when security breaches are detected. If such mechanisms are not deployed, various legal authorities will step in place to limit access to devices that have a track record of being hacked. In the case of the Cayla doll, the German government banned the toy due to security problems and fear that the internet connection used to answer kids’ questions could be hacked easily.

Germany’s act is laudable, no doubt, as it will put great stress on the manufacturer to release security updates and, potentially, recall the device to protect children from the problems that can come from these devices. However, if manufacturers fail to plan for problems in advance of attacks, the problem will only continue. Specifically, and as previously mentioned, mechanisms must be designed into the devices that allow for automatic updates of firmware. As the device is connected to the internet, all connections must be secured with TLS, and the databases that are used to maintain user information must be well maintained and secured (ideally with a SALT) to prevent the confidential information from being used should a breach occur.

Additionally, manufacturers that are maintaining any confidential information need to be sure they are monitoring all connections from each device to their data center in order to guarantee the integrity of the information being sent to and from the device. Network forensic information is key to recovering from a data breach and should be part of any IoT manufacturer’s design architecture.

Take a look at a recent post on Popular Apps: Your Child’s or Teen’s Data Privacy to read about how data privacy is becoming a big issue with regard to the apps our kids use.

Justin

Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.

Related

Leave a Reply