FBI posts a warning to parents about IoT gadgets

The FBI has posted a ‘consumer notice’ to consumers with children about the dangers of IoT gadgets.

Anyone who follows the computing industry will be aware of the dangers of insecure IoT devices. Some of the potential threats are external of the home such as devices being hijacked to carry out attacks. Others can be internal and pose a danger to your family’s privacy such as a hacked webcam.

The FBI makes the following recommendations:

  • Research for any known reported security issues online to include, but not limited to:

  • Only connect and use toys in environments with trusted and secured Wi-Fi Internet access

  • Research the toy’s Internet and device connection security measures

    • Use authentication when pairing the device with Bluetooth (via PIN code or password)

    • Use encryption when transmitting data from the toy to the Wi-Fi access point and to the server or cloud

  • Research if your toys can receive firmware and/or software updates and security patches

    • If they can, ensure your toys are running on the most updated versions and any available patches are implemented

  • Research where user data is stored – with the company, third party services, or both – and whether any publicly available reporting exists on their reputation and posture for cyber security

  • Carefully read disclosures and privacy policies (from company and any third parties) and consider the following:

    • If the company is victimized by a cyber-attack and your data may have been exposed, will the company notify you?

    • If vulnerabilities to the toy are discovered, will the company notify you?

    • Where is your data being stored?

    • Who has access to your data?

    • If changes are made to the disclosure and privacy policies, will the company notify you?

    • Is the company contact information openly available in case you have questions or concerns?

  • Closely monitor children’s activity with the toys (such as conversations and voice recordings) through the toy’s partner parent application, if such features are available

  • Ensure the toy is turned off, particularly those with microphones and cameras, when not in use

  • Use strong and unique login passwords when creating user accounts (e.g., lower and upper case letters, numbers, and special characters)

  • Provide only what is minimally required when inputting information for user accounts (e.g., some services offer additional features if birthdays or information on a child’s preferences are provided)

An increasing number of IoT devices with various sensors entering our homes could provide an unprecedented amount of data to a hacker. U.S. security agencies, such as the NSA, have been researching methods of exploiting these devices for their own surveillance operations – which makes the FBI’s decision to post this warning to consumers even more interesting.

There are multiple possibilities as to why the FBI has decided to put out this warning. The first could be the direct threat to children’s safety. Another reason could be restoring some public trust after U.S. security agencies, including the FBI, hoarded exploits which later ended up in the hands of malicious hackers and used for cyber attacks such as the one which crippled the UK’s health service. The agency could also be aware of an increase in threats which are targeting children’s Internet-connected toys in particular.

“Smart toys and entertainment devices for children are increasingly incorporating technologies that learn and tailor their behaviors based on user interactions. These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities – including speech recognition and GPS options,” the FBI wrote in a post. “These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.”

Many manufacturers of IoT devices are still prioritising features over security in the rush to beat competitors to market. To undercut rivals, some also make use of cheap but insecure components. Devices manufactured in China are often found to be the most vulnerable and the most widely hacked. Last year, for example, a large scale DDoS attack carried out by a botnet of hacked Internet of Things devices which caused large internet websites such as GitHub, Reddit, and Spotify to grind to a halt and was found to consist mostly of products made by Chinese firm Xiongmai.

The biggest known hack which affected children’s toys was that of Hong Kong-based VTech which exposed the data of 6.4 million kids. In this incident, children’s profiles included their name, gender, and birth date were leaked. The United States had the most VTech customers whose data was accessed, followed by France, the United Kingdom, Germany, Canada, Spain, Belgium, and the Netherlands.

In the United States, the FTC updated its Children’s Online Privacy Protection Act (COPPA) rules on 21st June 2017 to ensure key protections are implemented with respect to Internet-connected toys and associated services. COPPA now includes rules on mobile apps, Internet-enabled location-based services, and VoIP services.

If you suspect your child’s toy has been compromised, file a complaint with the Internet Crime Complaint Center, at www.IC3.gov.

Are you concerned about the threat IoT gadgets pose to children’s safety? Share your thoughts in the comments.

Rojenx is a leading concept artist who work appears in games and publications

Check out his personal gallery here

In other news …

This site uses Akismet to reduce spam. Learn how your comment data is processed.