The “Internet of Things” (IoT) is no longer just a topic of conversation at your workplace or outside of it. It is no longer just a concept with some potential impact on how we live and how we work. The IoT is happening right now. It is already here.
The number of “connected” devices in people’s homes and their day-to-day routines is on the rise. Moreover, it will continue to grow. And by 2025, you’ll have at least ten active IoT devices in your home.
ONE OF YOUR TEN IOT DEVICES
Think about it for a second. You already have a smart TV that lets you browse the internet. This year, Christmas come, and you are going to buy a new fridge. A smart one this time. Next year, you’ll get a smart vacuum cleaner. Then, a new smart alarm, just to keep your connected items safe. Let’s add to this a new smart heating system. One more thing. A prediction if you wish. In 2018, your Virgin Media ISP will send you a free in-house digital healthcare system.
You’ll get “the kit” at the same time with the new WIFI router and your upgraded internet contract. All free, as part of Virgin’s new partnership with F.C.A. and the N.H.S.
By 2020, every house in the U.K. will have a Digital Health System connected in real-time to N.H.S.
And step by step, without even realizing it, you are going to use the IoT. In your home, in your school, at the nursery. You’ll love them as these smart devices are going to improve your life. These connected devices will clean for you. Protect you. Keep you safe and healthy.
More than that, the IoT devices are going to save you time. The lesser time you’ll be spending “tech-ing” around, the more time you’ll have for your loved ones. However, despite all the positives, we must not ignore the privacy risks that these smart devices bring with them.
DO YOU MONITOR YOUR BABY WITH A CAM?
I am sure you’ll agree with me that last year was “the year of hackers.” Start with Kevin Mitnick. End with LulzSec and Anonymous. Regardless of the names, the fate of any hacker group will be the same. But that does not stop them from hacking. You’ve seen on the news powerful big corporations brought down to their knees.
Hacked. Over and over again. I am sure you still remember “the Sony hack.” Or, a more recent case, the hacked database of the U.S. Office of Personnel Management. It was a breach that exposed more than 21.5 million government employees. From lab. Employees to clear spies. They all had their secrets spilled and had their lives put at risk.
Some of you might be familiar with the Juniper NetScreen Firewalls hack. Or with the Ashley Madison hack. The Gemalto hack. The Kaspersky Labs hack. We can go on and on for hours.
World’s biggest data breaches In 2015. Showing losses of over 30.000 records and up.
Let’s face it. Even the most powerful governments in the world are far from immune to hackers. Tell me now that you still believe that some cheap products like internet-connected dolls and baby cams are better protected. Think again.
I have a better example for you. An example that is very much related to our subject today: Ensuring your child’s protection in the smart toys era.
And the story goes like this. It happened last year on a cold day in November. A toy manufacturer from Hong Kong, VTech, wasn’t using SSL or encrypting passwords for its line of children’s tablets. It did not think it was needed. As you imagine, for the hackers, stealing VTech‘s data was just “child’s play.”
VTech requested personal info from parents about their families, which they then lost in a massive data breach.
What happened next was a security nightmare. You are looking at 6.4 million exposed children. Millions of children have “lost” their data. Their names, emails, downloads, passwords, IP addresses, photos, password recovery info, and audio and video recording.
All these details were compromised. Together with the children’s real names, their genders, and their dates of birth. Even their home addresses. Shocking, isn’t it?
DO WE NEED A TRAGEDY TO WAKE UP?
And still, there is a total dichotomy in our attitude towards the security of the internet on the one hand and the most vulnerable “parts” of our society on the other hand.
We pay great attention to the pornographic or violent materials our children could come across online. It causes great concern. We are no longer waiting for them to strike, but we took control. We hunt them. We honeypot the sexual predators. And yet, when it comes to tech toys, the protective sensibilities seem to be forgotten.
We are blind. We don’t see; we don’t care. Nobody cares if a certain tech toy manufacturer does not employ experts in infosec. Experts could raise possible issues with the new smart toys before rolling them out of the factory’s gates.
BROWSING THE INTERNET OF TOYS
It is true; we always had problems with “connected” devices. The “vulnerable” webcams alone remain a massive problem even now, in 2016. How? Well, let’s take a closer look at Shodan.
A new search engine for smart, connected devices. Shodan can search the Internet, looking for IP addresses with open ports. Shodan takes a snap if an open port streams a video feed and lacks authentication.
However, this is not just another snap of a city webcam from webcam galore. Or, another snap from a cam that is broadcasting the heavy traffic in Piccadilly Circus. Oh no. As connected toys invade our homes, these smart objects bring silent, unwanted visitors.
Confused? Keep reading. With the help of Shodan, a potential sex predator can browse for connected cams and search for live videos of children. Snapshots. Pics. Your children. Sleeping. Playing. Dancing. Reading.
Or even getting changed in their own bedrooms. The paid Shodan members can access the pics via images.shodan.io. In fact, they don’t even have to pay. The free Shodan accounts can also search for pics using the filter “port:554 has_screenshot: true.”
The cause of the problem is still the “Real Time Streaming Protocol” with no password auth in place. RTSP, port 554, to be more precise. If you are a parent, you have to be aware of this. You must comprehend the danger.
You must understand that there is also a dark face to the IoT. A dark face of the tech toys. Don’t blame Shodan. There are hundreds of free tools out there that can be employed by both the good and the bad guys.
That is why, in this instance, I’ll be naming the Internet of Things the Internet of Toys. The tech toys and the risks they represent to the most vulnerable ones.
You see, the tech can be quite magical when we use it to improve the world we live in. A safer place for all of us, little humans included. However, as much as we love new tech, we must never lose sight of the fact that the tech, for all its possibilities, also creates new risks.
Moreover, for that alone, when dealing with children in an IoT context, their security and privacy must be your priority. In a tech toys context, child protection must be paramount to you. You, the parent. You, the IoT maker. Right from day one.
More than ever, now. In light of what has happened within the “Internet of Toys” community, any IoT companies must be taking extra security measures.
We commend V-Tech and Mattel/ToyTalk for addressing their recent security breaches and strengthening their commitment to security.
REGULATIONS FOR CONNECTED TOYS
Even the old, classic toys must pass regulatory and safety tests.
Making toys is not an easy business. Look at it from a safety point of view. Children can swallow their toys. They can also break them into little parts and get cut. Get hurt. Suffocated. Even poisoned if the paint you have used has the wrong chemicals.
You’ll have to pass all the regulatory and safety tests. The 16 CFR.1500. The EN.62115. The FCC. The EMC. The RF testing. And more than that, the “Internet of Toys” is not just another toy-making business. It is the Internet of Things for toys. The above-mentioned tests are just the beginning.
To ensure proper children’s protection, you must lock down and partition the toy’s system and all the associated apps. By doing so, you will prevent and limit your tech toys’ exposure to malicious attacks.
Your IoT company must take that “extra step” to encrypt and anonymize the user’s data. The data you have collected via your tech toys. In this case, your clients are the children. With the “birth” of tech toys, the child protection definition is going to change too. No, it is not a joke.
CHILD PROTECTION MUST INCLUDE “DATA”
Child protection is not just the “protection of children from violence, exploitation, abuse, and neglect.” It should also include their data. Protect the children’s data through every step of the used platform in your tech toys.
The high complexity of IoT applications leaves software susceptible to security and software quality failure.
The information conveyed to and from the tech toys must be protected with tech industry-grade advanced encryption standards.
Your company must use unique encryption keys for each IoT toy you make. You must have unique encryption keys for each segment and each piece of your system. Child protection, in an IoT context, can be achieved if your company takes into consideration the “worst-case scenarios.”
It is a scenario where, if any part of your IoT toy platform is compromised, the combination of segmentation plus encryption ensures limited amounts of leaked data from your tech toys. Also, it gives you the power to identify where the problem originated in the first place.
To prevent this from happening and to keep your “little clients” safe, you must cycle those keys that encrypt all information sent to and from your tech toys.
Even more, you’ll have to patch and conduct security checks to ensure the integrity of your platform. It is true no legislation regulates what happens with the “IoT data” at the moment. However, you must stay transparent. If there are no standards, you make the standards. You drive the boat. You set the trend.
KEEP YOUR “LITTLE CLIENTS” SAFE
Companies with different standards on safety, integrity, privacy, and security properties manufacture tech toys and their networking capabilities.
You must make at least a commitment that you will not share any of the data your IoT toys generate. There are many hungry wolves out there; read marketing and advertising entities.
Don’t let them have the data. Keep your commitment; keep your “little clients” safe. Stay faithful to your promises. You might lose money in the short term. However, in the long run, your business is going to gain trust. With trust comes money. You’ll succeed.
Just make sure you ensure the children’s protection in the new IoT context. Better said; if you can protect your clients, they’ll trust you. Moreover, if they trust you, they’ll come back and buy again.
Don’t forget that anything created or “ingested” by your IoT platform must stay within the walls of your platform. Yes, you can use your user’s data. However, only use it to make your platform better. To make the “children–toy” interaction better. Use the data to help, not to destroy. If it helps, see it as the protection of your child.
You’ll argue now that most of your tech toys must come with access to “the outside” apps. It is nothing wrong with that. However, you must lock down the data contained in these associated apps. You must also limit the amount of info collected by these 3rd party apps.
GIVE PARENTS FULL CONTROL.
On the hardware front, if there is a microphone or a recording camera on your tech toys, you must make sure that the “mute” or “blind” is “ON” by default. The parents can rest easy knowing that the new tech toys they have purchased for their little one’s birthday are not listening to or watching them.
It is a scary thought. If you are not a parent yet, just put yourself in a parent’s “shoes.” Even just for a few seconds. Would you be fine with your children being watched by someone over the internet while playing in their bedroom?! Yeah, didn’t think so.
As a final option, you must offer a way for the parents to delete any information collected by the tech toys. All smart, connected toys must come with a “Parent’s Control Panel” app, for example.
Every tech toy must come with a “Parent Control Panel” app that gives the parent full access to the toy.
The app must be accessible from any pre-registered mobile phone or tablet by the parent or the child’s guardian. The parent must be able to access the tech toys via the app at any time and ensure the child’s protection.
Once connected, the parent must be able to change the settings of the tech toys. Delete data. Update records. Block access to the camera and the microphone from unknown IPs and even MAC addresses. Erase the account. Alternatively, even have the power to cut off the internet of tech toys.
The Parent’s Control Panel must have a “reset” button which lets the parents wipe any and all the info the IoT toy has learned with and about the child.
A recent report shows that most consumers do not see value in the security and privacy of tech toys. Most users think that they are not supposed to know or deal with how the security of these new tech toys works. Most consumers do not understand the risks of having an insecure IoT device in their homes.
Let me ask you something, dear parent. You would not buy a house that does not have a front door, so why would you buy a tech toy for your child, knowing that there is no security in place?