Next at @enigmaconf: "Eyes in Your Child's Bedroom: Exploiting Child Data Risks with Smart Toys" with Sanchari Das

#enigma2020

Children talk to their toys, confiding to their dolls and stuffed animals. Now toys are listening. And remember.

Friend or foe?

Many start toys are insecure and dangerous, but there are ways we can help. Developers can build safer tech.

When we talk about risks, it's multivariate can go from low-to-high and depends on multiple factors.

We have ways of handling and identifying risks in other areas, but cybersecurity can be all over and it's hard to see.

We do have tools and risk analysis processes, but we're not sure if the users are the problem or not. [ Spoiler: not. If you don't make things work for humans, that's your issue, even if it's hard. ]

Can we achieve 100% security? No. Everything is highly connected and succeptable to threats. You have to protect *everything* which leads to overload for the users.

Our goal is to build tools which are usable, privacy-preserving, and achieve security. Especially hard for vulnerable population of children, who are not even able/allowed to collect their data -- like announcing birth online

Issues with smart toys keep cropping up. What's the problem. Investigated CloudPets toys. They're fun and nice to talk to grandparents!

But with a security lens, it has a 30-50 foot range. So it should have some kind of authentication, right?

Ha ha no.

[ demonstrates an attack where they snoop on a message recorded with the toy and send audio back to the toy -- it broadcasts itself, which makes this easy to scan ]

This is a security failure, but it's not the fault of the user: overpowered, underprotected.

Tried attack on a Fisher-Price toy [ didn't catch the name but it's a creepy-looking cube-head bear ]

[ video of attack taken through the camera of this toy, which was remotely taken over ]

This test was done in 2019. Why still so bad?

We need to assess the situation. We're building and mitigating issues, but the hackers aren't stopping!

We are lacking the user side, following the research

We also need to educate developers.

Amazon killed off the CloudPet and Fisher-Price toys because riddled with flaws.

But hey, there's a secondary market, might even be pre-hacked.

Made a risk-assessment tool so that users can make informed decision. Does simple non-technical education work? Are user studies worthwhile?

[ shows videos from @ljean doing funny security education (links, @ljean?) ]

@ljean Why don't they adopt better practices?
* if people don't care about the risk, change incentives
* if people don't know about the risk, communicate
* if people know and care, improve usability

@ljean Why is such robust research needed? Why not just think about the networks and firewalls and stuff?

Because there are USERS and they may hit situations and have needs that we don't anticipate.

And hey, there are more things, like they hacked a crock pot.

We can't avoid it, even if you don't use IoT devices. Well, you go to the grocery store, you use a credit card, etc. there's vulnerable tech all over.

Q: Did you find any smart toys which were secure?

A: no. I found some with authentication, but in plaintext. They're trying to be more cognizant, but didn't find any better yet.

Q: Aside from security best practices, is there an existing IoT security framework you'd recommend or reference?

A: yes, but I don't have a reference off the top of my head

Q: I learned a lot about these bears and I'm not going to buy one. Pattern matches in my brain against other bad toys e.g. poisons. We didn't solve those problems without regulation. What would you push for?

A: ... they also had COPPA violations. So there are laws, but...

A: also they do an audit at the end, not building all of these requirements in at the beginning.

Q: you didn't find any toys which were secure. Do you think there's something about toys which put them in this state as opposed to other devices?

A: yes, but it should be the reverse! we should be more careful with vulnerable populations