Profile picture
, 23 tweets, 4 min read
My Authors
Read all threads
Next at @enigmaconf: "Eyes in Your Child's Bedroom: Exploiting Child Data Risks with Smart Toys" with Sanchari Das

#enigma2020
Children talk to their toys, confiding to their dolls and stuffed animals. Now toys are listening. And remember.

Friend or foe?
Many start toys are insecure and dangerous, but there are ways we can help. Developers can build safer tech.
When we talk about risks, it's multivariate can go from low-to-high and depends on multiple factors.

We have ways of handling and identifying risks in other areas, but cybersecurity can be all over and it's hard to see.
We do have tools and risk analysis processes, but we're not sure if the users are the problem or not. [ Spoiler: not. If you don't make things work for humans, that's your issue, even if it's hard. ]
Can we achieve 100% security? No. Everything is highly connected and succeptable to threats. You have to protect *everything* which leads to overload for the users.
Our goal is to build tools which are usable, privacy-preserving, and achieve security. Especially hard for vulnerable population of children, who are not even able/allowed to collect their data -- like announcing birth online
Issues with smart toys keep cropping up. What's the problem. Investigated CloudPets toys. They're fun and nice to talk to grandparents!
But with a security lens, it has a 30-50 foot range. So it should have some kind of authentication, right?

Ha ha no.
[ demonstrates an attack where they snoop on a message recorded with the toy and send audio back to the toy -- it broadcasts itself, which makes this easy to scan ]
This is a security failure, but it's not the fault of the user: overpowered, underprotected.

Tried attack on a Fisher-Price toy [ didn't catch the name but it's a creepy-looking cube-head bear ]
[ video of attack taken through the camera of this toy, which was remotely taken over ]
This test was done in 2019. Why still so bad?

We need to assess the situation. We're building and mitigating issues, but the hackers aren't stopping!

We are lacking the user side, following the research
We also need to educate developers.

Amazon killed off the CloudPet and Fisher-Price toys because riddled with flaws.

But hey, there's a secondary market, might even be pre-hacked.
Made a risk-assessment tool so that users can make informed decision. Does simple non-technical education work? Are user studies worthwhile?

[ shows videos from @ljean doing funny security education (links, @ljean?) ]
@ljean Why don't they adopt better practices?
* if people don't care about the risk, change incentives
* if people don't know about the risk, communicate
* if people know and care, improve usability
@ljean Why is such robust research needed? Why not just think about the networks and firewalls and stuff?

Because there are USERS and they may hit situations and have needs that we don't anticipate.

And hey, there are more things, like they hacked a crock pot.
We can't avoid it, even if you don't use IoT devices. Well, you go to the grocery store, you use a credit card, etc. there's vulnerable tech all over.
Q: Did you find any smart toys which were secure?

A: no. I found some with authentication, but in plaintext. They're trying to be more cognizant, but didn't find any better yet.
Q: Aside from security best practices, is there an existing IoT security framework you'd recommend or reference?

A: yes, but I don't have a reference off the top of my head
Q: I learned a lot about these bears and I'm not going to buy one. Pattern matches in my brain against other bad toys e.g. poisons. We didn't solve those problems without regulation. What would you push for?

A: ... they also had COPPA violations. So there are laws, but...
A: also they do an audit at the end, not building all of these requirements in at the beginning.
Q: you didn't find any toys which were secure. Do you think there's something about toys which put them in this state as opposed to other devices?

A: yes, but it should be the reverse! we should be more careful with vulnerable populations
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Lea Kissner

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#enigma2020

More from @LeaKissner see all

Profile picture
Lea Kissner
@LeaKissner
Up at @enigmaconf: "Cybercrime: Getting beyond Analog Cops and Digital Robbers" by Mieke Eoyang

#enigma2020
@enigmaconf In May 2019 the city of Baltimore was hit by a cyberattack for the second time. Emergency services were shut down for 17 hours and the hackers demanded 13 bitcoin. They decided not to pay and instead fix the problem themselves. Cost: millions, and everyone yelled at each other.
But media and government weren't blaming the hacker, they were blaming operators, developers, etc.

When a breach becomes public, they blame the victim. It's the equivalent of "that was a mighty short firewall you were wearing"

[ 🔥🔥🔥 ]
Read 22 tweets
Profile picture
Lea Kissner
@LeaKissner
It's @enigmaconf time! I'm going to try to livetweet parts of this conference, but: a) video will be freely available and b) my wrists are tired from acroyoga.

First up! A panel about encrypted messaging with @Riana_Crypto, @mattblaze, @djweitzner moderated by @joncallas
@enigmaconf @Riana_Crypto @mattblaze @djweitzner @joncallas @Riana_Crypto is up first with an overview of crypto law in the US: Strong Encryption is Legal in the US (for now)
That wasn't always the case! Encryption was regulated like a munition, like a bomb. You could only export crypto which was like the decoder ring in a cracker jack box
Read 52 tweets
Profile picture
Lea Kissner
@LeaKissner
Today's piece of privacy engineering is about structuring access control lists so that they can be actually used and comprehended by humans. 🧵
Quick recap: every time a user takes an action, they need to know who (what identity are they using), what (what action are they taking), and where (where does it show up and for whom).

iapp.org/news/a/interfa…
Well, once someone's taken an action, if it's visible on an ongoing basis (like Alice shared a document with Bob), then Alice needs to be able to understand and control that.

The rule of thumb for this is: who, why, and how to make it stop.
Read 6 tweets

Related threads

Profile picture
Alexandra Erin
@AlexandraErin
Tangential to previous thread, but sometimes I think one reason why elaborate forms of sexual play are so engrossing is because adulthood doesn't offer many other opportunities for play, period.
Like, we can all play games, we can play around, but there has to be context to just *play*, and kink gives it.

It can be imaginative play, play-acting. You can make up rules. You can even sit at a little table and play with dolls and stuffed animals.

If you provide a context.
People wring their hands over kids getting engrossed in video games instead of play, but I am way more worried about the vanishing of playtime from schools (and childcare that is increasingly curricular in nature).
Read 13 tweets
Profile picture
McKay Smith
@McKayMSmith
1) “I buried my negatives in the ground in order that there should be some record of our tragedy.”

The photographs of Henryk Ross. beta.washingtonpost.com/news/in-sight/…
2) Officially, former Polish press photojournalist Henryk Ross was forced to work for the Nazis as a photographer for the Jewish Administration’s statistics department. He took photographs for Jewish identification cards, as well as images used as propaganda for the Lodz Ghetto.
3) Unofficially, and at great personal danger, Ross documented the cruel truth of life under Nazi rule. In the Lodz Ghetto, a quarter of its prisoners died of starvation.

In 1942, nearly 20,000 were deported to the death camp of Chelmno; in 1944, 70,000 were sent to Auschwitz.
Read 25 tweets
Profile picture
Filomena Rocha
@Filomen03258997
31. The Legacy of US, UK, France, Israel, Saudi Arabia, Turkey, Bahrain, Canada, Qatar, United Arab Emirates, Germany, Belgium, Netherlands, Australia, Jordan, Nato in Syria

#RegimeChange #FakeNews #FalseFlag #terrorism #SyriaInvasion #WarCrimes #CrimesAgainstHumanity
1 to 20. The Legacy of US, UK, France, Israel, Saudi Arabia, Turkey, Bahrain, Canada, Qatar, United Arab Emirates, Germany, Belgium, Netherlands, Australia, Jordan, Nato in Syria 🤨👇🏼
threadreaderapp.com/thread/1136642…
21. The Legacy of US, UK, France, Israel, Saudi Arabia, Turkey, Bahrain, Canada, Qatar, United Arab Emirates, Germany, Belgium, Netherlands, Australia, Jordan, Nato in Syria🤨👇🏼
threadreaderapp.com/thread/1137566…
Read 259 tweets
Profile picture
Friend or Foe?
@starknightz
1. #News ~ Exclusive–Secret Service Take Chicago Restaurant Employee into Custody After She Spits on Eric Trump last night. Sick Leftist arrested by Secret Service last night. thegatewaypundit.com/2019/06/breaki…

#Trump #Qanon #PresidentialHarrassment #ASSAULT
2. #News ~ BOOM! ⁦Sean Hannity Opens Show – Says BIGGEST SHOE TO DROP MAY BE COMING — [TONIGHT - Wed!!] (VIDEO) thegatewaypundit.com/2019/06/boom-%…

#Trump #Qanon #TiickTock
3. #News ~ Research Psychologist Epstein: Google, Tech Giants Have Ability to Manipulate and FLIP 15 MILLION VOTES in 2020 (VIDEO) thegatewaypundit.com/2019/06/resear…

#Trump #Qanon
Read 89 tweets
Profile picture
Isa Muhammad 🇳🇬🍀
@isacisse
#ChildRightProtectionWeek
#ChildrenDay
Today lemme remind you that around the world, children make up nearly half of the almost 900 million people living on less than US$1.90 a day.

Thread;

#Medinomic #YPGPHC #CRP
Health is the state of physical, mental and social well-being and does not only mean an absence of illness or disease.

The right to health is closely linked to other fundamental human rights, most notably access to potable water and adequate hygiene.
#Medinomic #YPGPHC #CRP
All children have the right to timely access to appropriate health services. This requires the establishment of a system to protect health, including access to essential medicine.

#Medinomic #Bokanarewa #YPGPHC #ChildrenDay #ChildRightProtection
Read 14 tweets
Profile picture
engendered
@engenderedpod
1/ @TheTakeaway @tanzinavega really disappointed you had this guest on a show peddling controversial theories that weaponize the failures of the #criminaljusticesystem #racism and #massincarceration against survivors of #domesticviolence and #coercivecontrol.
2/#VAWAs failures lie not only in its non-holistic, non-systemic approach to addressing #DV—not as #coercivecontrol and not in coordination with child safety risks, as it should be—but also in its methodology, assumptions, implementation etc. @thetakeaway @tanzinavega
3/Just because #VAWA is flawed doesn’t mean you throw the baby out with the bath water. Her theories are dangerous to #survivors and hide its misogynist underpinnings as they center #abuser needs over #survivor and #child #safety, #stability #strength. @TheTakeaway @tanzinavega
Read 13 tweets

Trending hashtags

#Qamishli #Dublin #viral #vkookau #kids #IoT #IndiaPositive #terrorists #Source #Russia #Monday #terrorist #durability #Dutch #CJ #Daraa #OPEN #baby #Netherlands #Afrin #buffer #FindStephenCullinan #exclusive #Patriot #BringDownTheRing
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!