Security and Privacy Analyses of Internet of Things Children’s Toys

This paper investigates the security and privacy of Internet-connected children’s smart toys through case studies of three commercially available products. We conduct network and application vulnerability analyses of each toy using static and dynamic analysis techniques, including application binary decompilation and network monitoring. We discover several publicly undisclosed vulnerabilities that violate the Children’s Online Privacy Protection Rule as well as the toys’ individual privacy policies. These vulnerabilities, especially security flaws in network communications with first-party servers, are indicative of a disconnect between many Internet of Things toy developers and security and privacy best practices despite increased attention to Internet-connected toy hacking risks.

[1]  Reiner Creutzburg,et al.  Hacking and securing the AR.Drone 2.0 quadcopter: investigations for improving the security of a toy , 2014, Electronic Imaging.

[2]  Tadayoshi Kohno,et al.  Securing vulnerable home IoT devices with an in-hub security manager , 2017, 2017 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops).

[3]  Patrick C. K. Hung,et al.  Privacy Preservation Framework for Smart Connected Toys , 2017 .

[4]  Maya Cakmak,et al.  Toys that Listen: A Study of Parents, Children, and Internet-Connected Toys , 2017, CHI.

[5]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[6]  Lydia Plowman,et al.  Three questions about the Internet of things and children , 2015 .

[7]  Narseo Vallina-Rodriguez,et al.  “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale , 2018, Proc. Priv. Enhancing Technol..

[8]  Alvaro A. Cárdenas,et al.  Security & Privacy in Smart Toys , 2017, IoT S&P@CCS.

[9]  Shih-Chia Huang,et al.  A Glance of Child's Play Privacy in Smart Toys , 2016, ICCCS.

[10]  Travis D. Breaux,et al.  A Theory of Vagueness and Privacy Risk Perception , 2016, 2016 IEEE 24th International Requirements Engineering Conference (RE).

[11]  Pavol Zavarsky,et al.  Risk Mitigation Strategies for Mobile Wi-Fi Robot Toys from Online Pedophiles , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[12]  Marcelo Fantinato,et al.  Towards a Privacy Rule Conceptual Model for Smart Toys , 2017, HICSS.

[13]  Dawn Xiaodong Song,et al.  TaintEraser: protecting sensitive data leaks using application-level taint tracking , 2011, OPSR.

[14]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[15]  Meg Leta Jones,et al.  Can (and should) Hello Barbie keep a secret? , 2016, 2016 IEEE International Symposium on Ethics in Engineering, Science and Technology (ETHICS).

[16]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[17]  Md. Zakirul Alam Bhuiyan,et al.  A Framework for Preventing the Exploitation of IoT Smart Toys for Reconnaissance and Exfiltration , 2017, SpaCCS Workshops.