Internet-connected toys (IoToys) offer children opportunities to play and learn, and also educational support thanks to their interactive and personalized features. IoToys, like any other Internet of Things (IoT) devices, contain embedded electronics and computing elements, such as microphones, cameras, sensors of various kinds, which enable them to interact with users and adapt to their actions. Moreover, IoToys can record, store, analyze and share all sorts of data depending on their configuration.
However, IoToys raise questions about security, privacy, and other fundamental rights of children as they may gather personal information regarding children’s lives, and then use and share those data. IoToys can communicate with other devices and services that collect data for management and data sharing and analysis. These developments of IoToys not only increase the amount of data available to businesses but also raise new security and privacy issues, which can affect families’ and children’s privacy when interacting with such devices.
The authors of this article set up a test-bed architecture to perform a security and privacy threat analysis of IoToys. Their research aims to identify critical elements that need to be taken into account to ensure children’s rights, data, privacy and security while designing and using IoToys.
The result of the tests showed it was possible to get access to data exchanged over both insecure and secure connections. They have also been able to identify data that were sent to IoToys servers, such as:
- Personal information (children’s dates of birth, names);
- Unique identifiers (mobile device model, operating system, time zone of the user);
- Users’ preferences (names given to IoToys by end-users) and;
- Information related to the status of an IoToy (e.g. if it is online or not).
They also found out that IoToys do not only send information to their servers but may also send it to third-party services. In some cases, the third party was given exclusive access to the IoToy’s server to fetch users’ data.
Finally, their analysis demonstrated that IoToys exchanged personal data in clear text, which means that it was not encrypted. This means that any adversary can capture the underlying communication and get access to personal data.
Users should be able to provide only data necessary to implement the service to IoToy companies. IoToys companies should transparently inform users about the types of data that are exchanged between the IoToy and the server, or with third-party services.
Cite: Chaudron S., Geneiatakis D., Kounelis I., Di Gioia R. (2019) Testing Internet of Toys Designs to Improve Privacy and Security. In: Mascheroni G., Holloway D. (eds) The Internet of Toys. Studies in Childhood and Youth. Palgrave Macmillan, Cham