In recent years, stories about “hackable toys” became something of a mainstay of the holiday season – almost as predictable as showings of It’s a Wonderful Life or Die Hard (<— Christmas movie). The message of these “hackable toy” stories was almost always the same: caveat emptor! Buyer beware. Those cute, interactive dolls, nanny cams and toddler friendly tablets were, we learned, harvesting reams of sensitive information from children – often in violation of Federal law. Even worse, these firms were often transmitting and storing the data insecurely, leading to breaches that exposed that sensitive data.
This year, however, you’d be hard put to find warnings about the cyber security risks of connected toys and personal electronics. Consumers might be forgiven for concluding, therefore, that the problem must have been fixed. Those toys sitting under the tree this year are hardened to remote cyber attacks, right? The data they collect is locked down and encrypted – beyond the reach of malicious actors and snoops, yes?
Almost certainly “No.” Conversations about the cyber risk of smart, connected playthings and electronics may have been on the back burner for Christmas and Hannukah, 2022. But there’s little reason to believe that any measurable improvement has been made in the cybersecurity or privacy protections of connected toys and personal electronics. If anything, the risk is growing, as the Internet of Things extends its reach to more families, communities and businesses.
Lax cybersecurity the norm on the xIoT
For example, a recent study of the security of IoT devices by Phosphorus Labs, a cybersecurity company, found that 68% have high-risk or critical vulnerabilities. That’s consistent with other studies of IoT insecurity. For example, a 2020 study by Palo Alto Networks found that 57% of IoT devices are vulnerable to medium- or high-severity attacks while 98% of all IoT device traffic is unencrypted, exposing personal and confidential data and allowing attackers the ability to listen to unencrypted network traffic and collect personal or confidential information.
While Phosphorus’ research focused on the kinds of devices and technologies used by businesses and government (like printers, voice over IP phones and physical access systems), the broader Internet of Things – what Phosphorus refers to as the xIoT – isn’t limited to those devices. The IoT is estimated to have a population of 50 billion devices globally and is growing rapidly, even as traditional IT endpoints – desktops, laptops and servers – are on the decline, said Brian Contos, the CSO at Phosphorus. Security issues with the xIoT matter, also, because the problems facing smart, business technologies like VoIP phones, security cameras and printers aren’t limited to those product categories.
Phosphorus’s research noted a number of factors contributing to the security issues on the IoT. Among them: a lack of secure development practices and experience at connected device makers; a heavy reliance on shared software and components (often open source); and a business culture that emphasizes time to market and feature development over robust security. The past year has shown that vulnerabilities in software supply chains are a major source of cyber risk for organizations.
Credential mismanagement is just the most obvious byproduct of that general lack of security. Phosphorus notes that many xIoT devices come with default passwords which users frequently forget to change, while other devices don’t support complex passwords.
In short: the IoT is a major blind spot, which hackers can use to infiltrate both home and business networks. With access, they can pivot to other assets, steal information, launch attacks, carry out physical sabotage, and achieve long-term persistence, Contos said. And businesses are notoriously bad at tracking the IoT devices deployed in their environments. By Contos’ estimate: every employee has between 3 and 5 IoT devices they use at work, while companies regularly underestimate the size of their deployed IoT device population by 50% or more.
And the risk posed by vulnerable gifts under the Christmas tree impacts businesses as well – as workers carry personal electronics in to the office, he said.
Insecure toys: yesterday’s news?
A review of recent history provides ample evidence that the security problems facing the xIoT extend to smart, connected playthings. As far back as 2015, for example, security researchers noted vulnerabilities in apps connected to toys like Mattel’s Hello Barbie. In 2018, the Hong Kong based firm VTech agreed to pay the U.S. Federal Trade Commission (FTC) $650,000 for violations of the Children’s Online Privacy Protection Act (COPPA) linked to a 2015 cyber attack and data breach that targetted VTech’s Learning Lodge Navigator online program, Kid Connect app and the Planet VTech gaming and chat platform. That attack exposed personal information on 5 million customers—more than half of whom were children.
It used to be that these issues of cybersecurity and toys garnered a lot of attention, and not just from federal regulators. Turn back the calendar four or five years and cybersecurity firms were warning of failures like flawed wireless security and authentication features in toys like the Furby Connect and CloudPets. The German government was warning parents to destroy the Cayla doll, a smart, interactive plaything that the government likened to a surveillance device.
News outlets like The Wall Street Journal and the New York Times picked up on those reports and gave the issue front-page treatment. Even the FBI got involved: issuing a warning to consumers in 2017 that smart, connected playthings could be equipped with sensors, cameras – even GPS trackers that posed cybersecurity and privacy risks. In 2019, the FTC published a list of security and privacy related questions consumers should ask before buying Internet connected toys
With another season of holiday gift giving behind us, however, there’s much less talk about hackable toys in 2022 than there was five- or even three years ago. Sure, the FTC took strong action against Epic Games this month for COPPA violations as well as misleading players of its FortNite online game about online purchases, but there was no updated FTC advice to consumers about cyber risks in connected products. And it’s not like connected toys and gifts that combine sensor-rich hardware, mobile applications and cloud based servers and data storage our out of vogue. If anything, they’re more common than ever. Research from the firm Mordor Intelligence estimates the connected toy market accounted for $7.6 billion in sales in the US in 2020 and it is expected to grow over the next five years.
Wanted: a cop on the IoT security beat
That kind of bad press should create pressure on device makers to do better. After all, 87% of consumers polled by DigiCert in their 2022 State of Digital Trust Survey said they would be likely to jettison vendors following a loss of digital trust caused by a cyber incident.
The sad truth, however, is that there’s no cop on the beat for IoT security – as the meager list of FTC enforcement actions for COPPA violations suggest. There have been just 39 settlements for COPPA violations in the 24 years that the law has existed. For every Epic Games or VTech, there are scores – if not hundreds – of devices and device makers that escape scrutiny for lax device and data security, exploitable software holes, porous configurations and unpatched software flaws.
What’s needed, of course, are new rules, regulations and standards that make the security of IoT devices – including children’s toys – a priority. To date, however, there has been little interest among lawmakers in the U.S. to hold the manufacturers of connected toys and personal electronics accountable. The most notable achievement on the public policy front was the Internet of Things (IoT) Cybersecurity Improvement Act of 2020, which set minimum security standards for IoT devices. Unfortunately, the Act – which took more than three years to pass, despite enjoying strong bipartisan support – only applies to IoT devices sold to federal agencies and explicitly exempts most “conventional” information technology devices like computers, laptops, tablets, and smartphones. Needless to say: Uncle Sam isn’t buying connected toys.
Cybersecurity product labels on tap in 2023
Outside of that, the only other IoT regulation has come at the state level or outside of the U.S. where the United Kingdom and – more recently – the European Union have introduced new regulations targeting the security of Internet of Things devices.
More recently the Biden Administration in October said it will introduce a cybersecurity labeling system for Internet of Things devices in 2023. Akin to the Federal Energy Star labeling system that informs consumers about the energy efficiency of products, the new cybersecurity labels will convey vital information to would-be purchasers of connected products about both the cybersecurity of the device and the security of the software contained on it. This is part of a broader government effort to improve the security of software – and software supply chains – used by federal agencies. For IoT devices, NIST developed guidelines for the bar-coded labels, which will be affixed to devices like Intenet connected cameras, home routers and other “high risk” IoT devices. The labels will link to information on the manufacturer’s data encryption, software update and vulnerability remediation practices.
That will be a big improvement – and may help create pressure on device makers to prioritize cybersecurity. But the new rules – part of President Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity – merely reflect the wishes of The Commander In Chief. Absent new laws, passed by Congress, the IoT labeling system and all the hard work done by NIST, the FTC and other agencies to create them could be stuck away on a shelf and replaced with “industry friendly” alternatives – or nothing at all – should the next occupant at 1600 Pennsylvania Avenue so desire.
Experts agree: the risk posed by the Internet of Things is growing. If lawmakers are serious about addressing that risk, they’ll make passing comprehensive IoT security legislation a priority in 2023.