Intelligent Toys Are Easy to Fool

Parents should take their time to ponder how good an idea it is to give smart toys to their kids. Security researchers have reported another connected product that comes with security flaws that affect privacy and safety of kids, demonstrating how it could mistreat them with offensive language.

Teksta Toucan smart toy, equipped with speakers and a microphone, can act as a two-way communication tool via a companion app installed on a Bluetooth-enabled device. The toy can play audio messages recorded by the app and send back the sound picked up by the built-in microphone.

The toy comes from the same manufacturer as the My Friend Cayla doll and ti-Que robot, which have either been banned or are on probation by data protection agencies in Europe. The sanction and the official notification to comply with data privacy laws result from the possibility to use the toys to listen in on conversations around them.

Bluetooth-enabled gadgets can connect to the toys without authenticating first, based on their proximity and connection history; Teksta Toucan works in the same way, so anyone near the toy can pair with it. Researchers from Pen Test Partners warn that the lack of authentication could allow a third party to spy on your kids and your house. For this reason, they contacted the German telecommunications regulator (Bundesnetzagentur), hoping they would also ban the talking toucan.

The modern toys no longer function within the limits of scripted responses, instead embracing the latest technology to provide more interactive features. They can access the internet, either directly or through a companion mobile app, interact with children through speech recognition software, process voice patterns, and offer a communication channel with parents. The information collected and handled this way is sensitive enough to warrant security measures; all the more when kids are involved.

Parents should be aware that smart toys often rely on data processing algorithms from a third-party to come up with contextual reactions. Considering the private nature of the information, they should be asked for consent before any detail is uploaded to the cloud or sent to a partner company for analysis.

Cayla, i-Que and Teksta Toucan are not the only insecure smart toys. Consumer organizations in Europe found that the practice of leaving the Bluetooth connection unprotected was common, and it applies to other products, too: the Furby Connect, the Toy-fi Teddy, and CloudPets can all be used to send and receive messages via Bluetooth, without authentication.

Before getting a connected toy, you should document its features and learn how it works, look it up online to see if privacy concerns have been raised about it, and see what security features it has available. If your kid already has a smart toy, make sure that the wireless connection (Bluetooth, WiFi) is off when nobody is playing with it.

Image credit: Genesis Industries