Skip to main content
SpringerLink
Log in
Book cover

International Conference on Enterprise Information Systems

ICEIS 2017: Enterprise Information Systems pp 291–312Cite as

Security Requirements and Tests for Smart Toys

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 321))

Abstract

The Internet of Things creates an environment to allow the integration of physical objects into computer-based systems. More recently, smart toys have been introduced in the market as conventional toys equipped with electronic components that enable wireless network communication with mobile devices, which provide services to enhance the toy’s functionalities and data transmission over Internet. Smart toys provide users with a more sophisticated and personalised experience. To do so, they need to collect lots of personal and context data by means of mobile applications, web applications, camera, microphone and sensors, for instance. All data are processed and stored locally or in cloud servers. Naturally, it raises concerns around information security and child safety because unauthorised access to confidential information may bring many consequences. In fact, several security flaws in smart toys have been recently reported in the news. In this context, this paper presents an analysis of the toy computing environment based on the threat modelling process from Microsoft Security Development Lifecycle with the aim of identifying a minimum set of security requirements a smart toy should meet, and propose a general set of security tests in order to validate the implementation of the security requirements. As result, we have identified 16 issues to be addressed, 15 threats and 22 security requirements for smart toys. We also propose using source code analysis tools to validate seven of the security requirements; three test classes to validate seven security requirements; and specific alpha and beta tests to validate the remaining requirements.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. CISCO Homepage. https://www.cisco.com/c/en/us/about/security-center/secure-iot-proposed-framework.html. Accessed 10 Sep 2017

  2. Gardner Homepage. http://www.gartner.com/newsroom/id/3598917. Accessed 10 Sep 2017

  3. IDC Homepage. https://www.idc.com/getdoc.jsp?containerId=prUS42799917. Accessed 10 Sep 2017

  4. Rafferty, L., Hung, P.C.K.: Introduction to toy computing. In: Hung, P.C.K. (ed.) Mobile Services for Toy Computing. ISCEMT, pp. 1–7. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21323-1_1

    Chapter  Google Scholar 

  5. Newsweek Homepage. http://www.newsweek.com/internet-connected-teddy-bear-leaks-2-million-voice-recordings-parents-and-561969. Accessed 13 Sep 2017

  6. Forbes Homepage. http://www.forbes.com/sites/thomasbrewster/2016/02/02/fisher-price-hero-vulnerable-to-hackers/#359130c71cfe. Accessed 8 Dec 2016

  7. Fortune Homepage. http://fortune.com/2016/02/02/fisher-price-smart-toy-bear-data-leak/. Accessed 8 Dec 2016

  8. Motherboard Homepage. https://motherboard.vice.com/en_us/article/bmvnjz/hacked-toy-company-vtech-tos-now-says-its-not-liable-for-hacks. Accessed 13 Sep 2017

  9. PCWorld Homepage. http://www.pcworld.com/article/3012220/security/internet-connected-hello-barbie-doll-can-be-hacked.html. Accessed 12 Dec 2016

  10. Internet Crime Compliant Center (IC3) homepage. https://www.ic3.gov/media/2017/170717.aspx. Accessed 17 Sep 2017

  11. Biswas, D.: Privacy policies change management for smartphones. In: IEEE International Conference on Pervasive Computing and Communications Workshops, pp. 70–75 (2012)

    Google Scholar 

  12. Zapata, B., Niñirola, A., Fernández-Alemán, J., Toval, A.: Assessing the privacy policies in mobile personal health records. In: 36th Annual International Conference of the IEEE Engineering in Medicine and Biology Society, pp. 4956–4959 (2014)

    Google Scholar 

  13. Nagappan, M., Shihab, E.: Future trends in software engineering research for mobile apps. In: IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), vol. 5, pp. 21–32 (2016)

    Google Scholar 

  14. Ng, G., Chow, M., Salgado, A.L.: Toys and mobile applications: current trends and related privacy issues. In: Hung, P.C.K. (ed.) Mobile Services for Toy Computing. ISCEMT, pp. 51–76. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21323-1_4

    Chapter  Google Scholar 

  15. Rafferty, L., Fantinato, M., Hung, P.C.K.: Privacy requirements in toy computing. In: Hung, P.C.K. (ed.) Mobile Services for Toy Computing. ISCEMT, pp. 141–173. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21323-1_8

    Chapter  Google Scholar 

  16. Rafferty, L., Hung, P., Fantinato, M., Peres, S., Iqbal, F., Kuo, S., Huang, S.: Towards a privacy rule conceptual model for smart toys. In: Proceedings of the 50th Hawaii International Conference on System Sciences, HICSS (2017)

    Google Scholar 

  17. Carvalho, L., Eler, M.: Security requirements for smart toys. In: Proceedings of the 19th International Conference on Enterprise Information Systems (ICEIS 2017), vol. 2, pp. 144–154 (2017)

    Google Scholar 

  18. Canadian Public Works and Government Services: Personal Information Protection and Electronic Documents Act (2000)

    Google Scholar 

  19. United States Federal Trade Commission Homepage. http://www.coppa.org/coppa.htm. Accessed 27 Nov 2016

  20. The European Parliament and the Council of the European Union: Regulation (EU) 2016/679 of the European Parliament and of the Council. Regulations, Official Journal of the European Union (2016)

    Google Scholar 

  21. Hung, P.C.K. (ed.): Mobile Services for Toy Computing. ISCEMT. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21323-1

    Book  Google Scholar 

  22. BBC News homepage. http://www.bbc.com/news/technology-38222472. Accessed 12 Dec 2016

  23. Sommerville, I.: Software Engineering, 9th edn. Pearson, Boston (2011)

    MATH  Google Scholar 

  24. Tondel, I., Jaatun, M., Meland, P.: Security requirements for the rest of us: a survey. IEEE Softw. 25(1), 20–27 (2008)

    Article  Google Scholar 

  25. United States Government Accountability Office homepage. https://www.gao.gov/products/GAO-17-440T. Accessed 17 Sep 2017

  26. Viega, J.: Building security requirements with CLASP. In: Proceedings of the 2005 Workshop on Software Engineering for Secure Systems—SESS 2005, 15–16 May, St. Louis, MO, USA (2005)

    Google Scholar 

  27. Sindre, G., Opdahl, A.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005)

    Article  Google Scholar 

  28. IDA homepage. https://www.ida.liu.se/~TDDC90/literature/papers/clasp_external.pdf. Accessed 16 Nov 2016

  29. US-CERT homepage. https://www.us-cert.gov/bsi/articles/best-practices/requirements-engineering/square-process. Accessed 3 Nov 2016

  30. Lipner, S.: The Trustworthy computing security development lifecycle. In: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004). IEEE (2004)

    Google Scholar 

  31. Microsoft homepage. http://www.microsoft.com/sdl. Accessed Feb 2017

  32. Open Web Application Security Project (OWASP) homepage. https://www.owasp.org/index.php/Source_Code_Analysis_Tools. Accessed 17 Sep 2017

  33. Open Web Application Security Project (OWASP) homepage. https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents. Accessed 17 Sep 2017

Download references

Author information

Authors and Affiliations

  1. School of Arts, Sciences and Humanities, University of São Paulo, São Paulo, Brazil

    Luciano Gonçalves de Carvalho & Marcelo Medeiros Eler

  2. FATEC Mogi das Cruzes, São Paulo State Technological College, São Paulo, Brazil

    Luciano Gonçalves de Carvalho

Authors
  1. Luciano Gonçalves de Carvalho
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marcelo Medeiros Eler
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Luciano Gonçalves de Carvalho or Marcelo Medeiros Eler .

Editor information

Editors and Affiliations

  1. MODESTE/ESEO, Angers, France

    Slimane Hammoudi

  2. Warsaw University of Technology, Warsaw, Poland

    Michał Śmiałek

  3. MODESTE/ESEO, Angers, France

    Olivier Camp

  4. INSTICC, Polytechnic Institute of Setúbal, Setúbal, Poland

    Joaquim Filipe

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

de Carvalho, L.G., Eler, M.M. (2018). Security Requirements and Tests for Smart Toys. In: Hammoudi, S., Śmiałek, M., Camp, O., Filipe, J. (eds) Enterprise Information Systems. ICEIS 2017. Lecture Notes in Business Information Processing, vol 321. Springer, Cham. https://doi.org/10.1007/978-3-319-93375-7_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-93375-7_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-93374-0

  • Online ISBN: 978-3-319-93375-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation