As we become accustomed to hearing Bing Crosby carols during Halloween, Black Friday sales and shifting seasons instead of a White Christmas, at least we can still rely on Santa to bring his elves' hard work down our chimneys.

But this year, will he be delivering us a dose of Internet of (Hacking) Things as well?

The world is suffering a drought of skilled cyber practitioners – more cyber-crime means more demand for experienced responders. Encouraging children to develop skills in STEM, “science, technology, engineering and mathematics”, helps to encourage familiarity with subjects that will become increasingly relevant to our future technologists and support these critically valuable skills.

And so the market for “connected toys” continues to grow, many marketed to encourage development of programming skills and construction for little minds and hands.

But a little over a year ago, cyber security journalist Brian Krebs found his website coming under one of the largest sustained DDOS (distributed denial of service) attacks ever observed – over 600 Gbps, magnitudes more than required to knock most websites down. And in the analysis of this attack it was observed that many of the “zombie” devices used to create the botnet generating the spurious traffic came from IoT (“Internet of Things”) devices: web cameras, routers, fridges and many others!

And now we find that many of the shiny new toys that will be sitting under Christmas trees this year may well be agents of the zombie army.

Cyber experts have been reviewing the firmware and network configurations of many “connected” toys – Furbies, Barbies, Teddies and others. Wi-Fi and Bluetooth are commonly used to connect to each other or upload and share data, sometimes with parents and sometimes with manufactures. Some of these toys are even designed with hidden web cameras to allow parents to “observe” their children over the internet.

But when “privacy by design” and “security by design” comes second to whiz bang features and flashing lights, these hardware and software flaws may become a point of entry in to your connected home, to your PCs and laptops, even in to your work IT networks, as they broaden the attack surface and open up vulnerabilities.

In 2015 we saw a toy manufacturer suffer a breach resulting in nearly 11 million accounts, including over 6 million children. Two years later, as the “connected toy” is becoming increasingly ubiquitous, we advise families to keep their other systems suitably safe from malicious cyber intruders and less than diligent toy manufacturers.

With our toys increasingly requiring their own firewall to minimise risks to our data environment, manufacturers should be alive to concerns arising from GDPR failings and Data Protection principles related to good data governance.

Bah humbug!



Image courtesy: Double Feature