The Internet of Hackable Things
There is a smartphone that you can buy for twenty dollars now. You wouldn’t want to buy it — as a phone, it fails horribly in terms of usability and ergonomics — but it embodies the idea of a smartphone in every way. It has a touchscreen, a camera, a recognizable version of the Android operating system, and of course you can use it to make calls and browse the internet.
This is not a particularly revelatory device. In fact, you’d probably only give it to your least favorite stepchild. However, in terms of manufacturing, it is a revelation. Over the last couple of years, the prices of the recognizable components that make up a phone have gone down, down, down. Smartphones are now a commodity. What this means is that it is now practical, trivial even, to add the attributes of a mobile internet connected device to any previously unconnected object. This is what is meant by the term, “internet of things.”
Again, this is probably not a new or surprising term for most of you reading this. There have been many breathless articles about the Nest thermostat, for example, and how it’s supposed to change your life by allowing you to change the temperature of your house remotely. Similarly, you have the FitBit, and those wireless LED lightbulbs that you can change color with your phone, and so on.
What these devices have in common is that they’re relatively high-end. Think back to that $20 smartphone, however. You know, the phone that you’d only ever give to a kid? Well, some manufacturers have decided to eliminate the middle man, and incorporate smartphone features into various children’s toys. However, by incorporating budget components and software, they’ve also left out a very important factor — security.
First of all, let’s talk about the Hello Barbie bug. Hello Barbie is an internet-connected doll. It is voice activated, using technology similar to Apple’s “Siri.” Once it hears a voice command, it records it, sends the recording to a central web server that processes the command, and then plays back an appropriate response. Based on the whole “recording kids’ voices” idea, it is already a pretty creepy toy. In addition to being creepy, it is also deeply insecure.
According to security researchers from Bluebox Labs, the app that allows Hello Barbie to transmit to the internet is very easy to compromise. Attackers may intercept children’s recordings before they are sent along to the processing server, which is disturbing enough in its own right. The toy also has its own Bluetooth receiver, but there’s nothing in the app that distinguishes the doll itself from any unsecured Wi-Fi network with the word “Barbie” in its name. Lastly, and most damningly, the server itself is vulnerable to the POODLE bug, which was disclosed more than 18 months ago. In layman’s terms, that’s like leaving your back door open with a sign saying “rob me” for 18 months.
In addition to this, we have the widely-publicized VTech hack, which has just generated its first arrest. VTech manufactures cheap tablets and other electronic devices for children. It barely secured that data at all, however. A single attacker was able to expose the real names, home addresses, and email addresses of over 11 million individuals. While the company did encrypt passwords, they were secured with an algorithm that’s been out of date since the late 90’s, meaning that they’re trivial to unscramble. In addition, the user data clearly indicated which of the users (over 6 million,) were children, and linked them to their parents, with additional data including the children’s headshots as well as chat logs. The only saving mercy in this case is that the man who breached VTech was only trying to expose the company’s shady practices, and had no intention of selling the data he took.
Children’s toys seem to be a major entry point for the internet of things into our lives. This is not without consequence. You have companies that have never made any kind of computerized hardware before, and all of a sudden they’re sticking web-enabled computers into everything they make. They’re clearly not investing the time, effort, and energy required to add even a basic amount of security to these products. As a consequence, the first victims of their neglect will be people too young to understand the ramifications of being hacked.