Security and Privacy Analyses of Internet of Things Toys

This paper investigates the security and privacy of Internet-connected children's smart toys through case studies of three commercially-available products. We conduct network and application vulnerability analyses of each toy using static and dynamic analysis techniques, including application binary decompilation and network monitoring. We discover several publicly undisclosed vulnerabilities that violate the Children's Online Privacy Protection Rule (COPPA) as well as the toys' individual privacy policies. These vulnerabilities, especially security flaws in network communications with first-party servers, are indicative of a disconnect between many IoT toy developers and security and privacy best practices despite increased attention to Internet-connected toy hacking risks.

[1]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[2]  Pavol Zavarsky,et al.  Risk Mitigation Strategies for Mobile Wi-Fi Robot Toys from Online Pedophiles , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[3]  Reiner Creutzburg,et al.  Hacking and securing the AR.Drone 2.0 quadcopter: investigations for improving the security of a toy , 2014, Electronic Imaging.

[4]  Dawn Xiaodong Song,et al.  TaintEraser: protecting sensitive data leaks using application-level taint tracking , 2011, OPSR.

[5]  Narseo Vallina-Rodriguez,et al.  “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale , 2018, Proc. Priv. Enhancing Technol..

[6]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[7]  Meg Leta Jones,et al.  Can (and should) Hello Barbie keep a secret? , 2016, 2016 IEEE International Symposium on Ethics in Engineering, Science and Technology (ETHICS).

[8]  Tadayoshi Kohno,et al.  Securing vulnerable home IoT devices with an in-hub security manager , 2017, 2017 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops).

[9]  Patrick C. K. Hung,et al.  Privacy Preservation Framework for Smart Connected Toys , 2017 .

[10]  Travis D. Breaux,et al.  A Theory of Vagueness and Privacy Risk Perception , 2016, 2016 IEEE 24th International Requirements Engineering Conference (RE).

[11]  Marcelo Fantinato,et al.  Towards a Privacy Rule Conceptual Model for Smart Toys , 2017, HICSS.

[12]  Md. Zakirul Alam Bhuiyan,et al.  A Framework for Preventing the Exploitation of IoT Smart Toys for Reconnaissance and Exfiltration , 2017, SpaCCS Workshops.

[13]  Maya Cakmak,et al.  Toys that Listen: A Study of Parents, Children, and Internet-Connected Toys , 2017, CHI.

[14]  Alvaro A. Cárdenas,et al.  Security & Privacy in Smart Toys , 2017, IoT S&P@CCS.

[15]  Shih-Chia Huang,et al.  A Glance of Child's Play Privacy in Smart Toys , 2016, ICCCS.

[16]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[17]  Lydia Plowman,et al.  Three questions about the Internet of things and children , 2015 .