Testing Internet of Toys Designs to Improve Privacy and Security
Internet-connected toys (IoToys), embedded with microphones, cameras and other sensors, bring technology more than ever closer to children. This new generation of toys poses several questions, e.g. “What data can IoToys exchange? With whom? What are the possible threats?”, and raises concerns regarding the security and privacy of children. These issues are at the centre of this chapter. The authors describe the data flow of the IoToys architecture and highlight the threats that such architecture should tackle. They present the privacy and security test conditions under which different IoToys have been submitted. The results indicate that personal data are exposed, thus violating data confidentiality and consequently end-users’ privacy. The chapter concludes with recommendations to enhance the security and privacy of IoToys architecture.
KeywordsInternet of toys Internet of things Security Privacy
- Akamai. (2017, February). Internet of things and the rise of 300 Gbps DDoS attacks. Retrieved February 14, 2018, from https://www.akamai.com/us/en/multimedia/documents/social/q4-state-of-the-internet-security-spotlight-iot-rise-of-300-gbp-ddos-attacks.pdf.
- Benítez-Mejía, D. G. N., Zacatenco-Santos, A., Toscano-Medina, L. K., & Sánchez-Pérez, G. (2017). HTTPS: A phishing attack in a network. In Proceedings of the 7th International Conference on Information Communication and Management (pp. 24–27). New York, NY: Association for Computing Machinery. https://doi.org/10.1145/3134383.3134389.
- Cert.org. (2016, February). Vulnerability note VU#719736—Fisher-price smart toy platform allows some unauthenticated web API commands. Retrieved February 14, 2018, from http://www.kb.cert.org/vuls/id/719736.
- Chaudron, S., Di Gioia, R., Gemo, M., Holloway, D., Marsh, J., Mascheroni, G., … Yamada-Rice, D. (2017). Kaleidoscope on the internet of toys—Safety, security, privacy and societal insights (JRC Technical Report No. EUR 28397). European Union.Google Scholar
- Dierks, T. (2008, August). The Transport Layer Security (TLS) protocol version 1.2. Retrieved February 14, 2018, from https://tools.ietf.org/html/rfc5246.
- Fette, I. (2011, December). The WebSocket Protocol. Retrieved February 14, 2018, from https://tools.ietf.org/html/rfc6455.
- Fielding, R., & Reschke, J. (2014, June). Hypertext Transfer Protocol (HTTP/1.1): Authentication. Retrieved February 14, 2018, from https://tools.ietf.org/html/rfc7235.
- Freier, A., Karlton, P., & Kocher, P. (2011, August). The Secure Sockets Layer (SSL) protocol version 3.0. Retrieved February 14, 2018, from https://tools.ietf.org/html/rfc6101.
- Geneiatakis, D., Kounelis, I., Neisse, R., Nai-Fovino, I., Steri, G., & Baldini, G. (2017). Security and privacy issues for an IoT based smart home. In 2017 40th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO) (pp. 1292–1297). https://doi.org/10.23919/MIPRO.2017.7973622.
- Gibbs, S. (2015, November 26). Hackers can hijack Wi-Fi Hello Barbie to spy on your children. Technology. The Guardian. Retrieved February 15, 2018, from https://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children.
- Hunt, T. (2015, November 28). When children are breached—Inside the massive VTech hack. Retrieved February 15, 2018, from https://www.troyhunt.com/when-children-are-breached-inside/.
- Moye, D. (2015, February 9). Talking doll Cayla hacked to spew filthy things (UPDATE). Huffington Post. Retrieved from https://www.huffingtonpost.com/2015/02/09/my-friend-cayla-hacked_n_6647046.html.
- Onwuzurike, L., & De Cristofaro, E. (2015). Danger is my middle name: Experimenting with SSL vulnerabilities in android apps. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks (pp. 15:1–15:6). New York, NY: Association for Computing Machinery. https://doi.org/10.1145/2766498.2766522.
- Reschke, J. F., & Fielding, R. T. (2014, June). Hypertext Transfer Protocol (HTTP/1.1): Message syntax and routing. Retrieved February 14, 2018, from https://tools.ietf.org/html/rfc7230.
- Rescorla, E. (2000, May). HTTP over TLS. Retrieved February 14, 2018, from https://tools.ietf.org/html/rfc2818.
- Rouse, M. (2018, January). What is white hat? Retrieved February 15, 2018, from http://searchsecurity.techtarget.com/definition/white-hat.
- Sullivan, B. (2016, December 7). Your kid’s new friend Cayla may not be as innocent as she looks. Retrieved February 15, 2018, from http://time.com/money/4593703/internet-of-toys-child-safety-spying/.
- Yadron, D. (2016, February 2). Fisher-price smart bear allowed hacking of children’s biographical data. Retrieved February 15, 2018, from http://www.theguardian.com/technology/2016/feb/02/fisher-price-mattel-smart-toy-bear-data-hack-technology.
- Zhang, L., Choffnes, D., Levin, D., Dumitras, T., Mislove, A., Schulman, A., & Wilson, C. (2014). Analysis of SSL certificate reissues and revocations in the wake of heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (pp. 489–502). New York, NY: Association for Computing Machinery. https://doi.org/10.1145/2663716.2663758.
- Ziegeldorf, J. H., Morchon, O. G., & Wehrle, K. (2015). Privacy in the internet of things: Threats and challenges. CoRR, abs/1505.07683. Retrieved from http://arxiv.org/abs/1505.07683.