In case you missed it, the news media gave a lot of attention recently to the fact that the makers of the Barbie doll have finally accepted that they cannot hold back the tide of modern ideas and must swim with it, introducing versions of the doll in a variety of more lifelike shapes (see picture above – no, that’s not our account team). Wind the clock back one year and the company was announcing a product that raised questions of less cultural significance but potentially of more importance to all our lives. Hello Barbie, a wirelessly connected ‘smart’ doll, unexpectedly brought the topic of Internet of Things (IoT) security into the mainstream.
Before the ‘new shape’ excitement, a number of news media outlets warned us about the danger to our privacy – and potentially our children – of the new breed of Internet-connected toys, such as Hello Barbie. This version of the iconic plastic plaything can engage in a certain amount of ‘conversation’, learning about its owner’s likes. In order to achieve this it must listen to the world around it and store what it hears. The immediate concern for commentators was the potential for a toy to be hacked, giving a malicious third party access to young children.
The fact that such a connected toy could be remotely hacked had already been demonstrated on another doll, Cayla, which was programmed to say a number of inappropriate things. It’s difficult not to see the funny side of such a demonstration, which was essentially benign and harmless by nature, unless you are the toymaker. However, similar techniques could easily be employed to deliver more offensive material or spy on a household.
What these examples highlight is the weakness of protection given to the new devices that are being added to the Internet. Computers are routinely fitted with anti-virus, anti-spyware and firewall software to protect them against threats that, predominantly, come from the Internet. The justification for this protection is partly that your desktop PC or laptop may contain private/commercial information or banking details. However, with the IoT, the interest for the hacker is not necessarily what is on the targeted device but, rather, what it is connected to. So if you have a smart kettle or fridge or toaster you may not consider it to be at risk due to its insignificance. But think what it is connected to; the likelihood is that it shares the same wireless network as your laptop, smartphone, tablet and, perhaps, intruder alarm. Essentially, every IoT device is a potential access point. And, with the number of Internet of Things devices predicted to be in the billions, there will be an awful lot of access points for hackers.
What can you do in the face of this growing danger? Well, as an individual, be careful with your password policy and don’t just leave devices on the default factory PIN setting. As a product developer, make use of industry resources and forums such as the recently established Internet of Things Security Foundation. And, as a toy manufacturer, make sure your crisis communications plan is up to date, just in case.
[Full disclosure: Publitek represents a number of companies that help protect equipment and networks by strengthening IoT security at the device, operating system or Cloud level so we see many examples of threats and good practice].