Consumer watchdogs in Europe and the US have lodged a joint complaint against the makers of top-selling internet-connected toys for failing basic privacy and security measures, and not keeping children safe.
A study by the Norwegian Consumer Council has identified major security flaws in the My Friend Cayla doll and i-QUE robot connected toys, specifically. Both are widely available in Europe and the US.
My Friend Cayla, for example, lets children ask her questions to which she responds, and plays games like noughts and crosses with them.
Based on the results of the Norwegian study, consumer organisations in seven European countries have filed complaints against Genesis Toys, which makes the devices, and ToyQuest, which makes their companion apps.
Alongside the Norwegian Consumer Council, complaints have been filed with national data protection authorities and consumer protection authorities by UFC Que Choisir in France, the Swedish Consumers’ Association in Sweden, the Consumers' Protection Centre (KEPKA) in Greece, Test Ankoop in Belgium, the Consumers’ Association of Ireland, and Consumentenbond in the Netherlands.
Four US groups, including the Electronic Privacy Information Centre (EPIC) and the Centre for Digital Democracy, have filed a complaint with the Federal Trade Commission.
The Norwegian tests found that, “with simple steps”, hackers can easily gain control of both toys through a mobile phone, and talk and listen through them without any kind of physical access.
The terms and conditions attached to the Cayla doll stipulate as well that, prior to use, customers must also consent that personal data can be used for targeted advertising, and that their information may be shared with unnamed third parties.
They must also accept these terms may change without notice.
Cayla also transfers data, including any communications with the dolls, to a US-based company called Nuance Communications, a speech recognition specialist that also provides technology for fraud detection and healthcare services.
The study says the Cayla doll, for example, will talk about Disney movies, and notes the app provider has a commercial relationship with Disney.
The European Consumer Organisation (BEUC) has sent letters about the matter to the European Commission, the European Union network of national data protection supervisors, and the International Consumer Protection and Enforcement Network (ICPEN).
Monique Goyens, Director General of BEUC, said: “Children are especially vulnerable, and are entitled to products and services that safeguard their rights to security and privacy.
"As long as manufacturers are not willing to take these issues seriously it is clear that this type of connected products is not suitable for children.”
Genesis Toys has distribution arrangements with Wal-Mart, Toys R Us, Amazon, Target, and K-Mart, variously, in the US, Norway, Sweden, Denmark, Australia, Netherlands, and the Middle East.
British toy company Vivid distributes both products in the UK, France, Germany, Austria, Ireland, and Switzerland.
The Norwegian Consumer Council notes in its complaint to the Norwegian Directorate for Civil Protection the Cayla doll was named toy of the year in Norway and Sweden in 2014, according to a sticker on its packaging.
The Norwegian app for the doll has been downloaded from Google Play between 10,000 and 50,000 times, it said.
The app associated with the i-Que robot has been downloaded between 1,000 and 5,000 times from Google Play.
Tony Gee, Consultant at ethical hacking firm Pen Test Partners, told European Communications: “We applaud this action. It’s time manufacturers of IoT devices woke up and realised it is their responsibility to ensure they deliver safe and secure devices to end users.”
Pen Test Partners has also investigated the Cayla device, alongside such devices as connected thermostats and DVRs, and found its security and privacy to be inadequate.
“Cayla has no Bluetooth pairing mechanism, meaning as long as she is turned on anyone within range can connect to her,” said Gee.
Speaking at the European Communications/Mobile Europe IoT Conference 2016 last week, Gee demonstrated the Cayla doll works effectively as a Bluetooth speaker and microphone, with no pairing process.
“This means attackers could sit outside a child’s window and listen and talk to them, through their doll," said Gee.
"Not only that, the application is very poorly written with little regard for the potential for attackers to create malicious versions allowing modified versions to be created.”
Gee said IoT manufacturers should test for vulnerabilities as a matter of course, make devices remotely updateable, sign and check firmware updates, encrypt data and communications, and limit the personal data required for the service.
Goyens also made the point market supervision is becoming increasingly complex.
“The challenge to make sure European consumers are properly protected is huge and co-operation between authorities and consumer organisations is key,” she said.
“The fact that business malpractices spill over national borders is making this task even harder.”