Children’s toys and baby monitors can be taken over by hackers, security services warn

Code of practice issued to manufacturers after security vulnerabilities found in toys including smart bear and talking dinosaur

Lizzie Dearden
Security correspondent
Sunday 28 October 2018 12:52 EDT
Comments
Baby monitors are among devices vulnerable to attack
Baby monitors are among devices vulnerable to attack

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Children’s toys and baby monitors connected to the internet can be taken over by hackers, the security services have warned.

The National Cyber Security Centre (NCSC) has issued new guidance calling on manufacturers to ensure devices sold to British families are secure.

Vulnerabilities already discovered include one that could let attackers obtain audio from a baby monitor or “inject fake information about the position and temperature” of an infant on an activity tracker.

An international database also lists a “smart toy bear” with a security fault that could be used by hackers to obtain sensitive information, and a talking dinosaur that allows voice, data and video traffic to be intercepted.

The NCSC has demonstrated how an interactive doll could be compromised and used to unlock a wifi-connected front door.

A voluntary code of practice issued by the government urges manufacturers to increase security across the growing “internet of things”.

“Poorly secured devices can threaten individuals’ privacy, compromise their network security, their personal safety and could be exploited as part of large-scale cyberattacks,” a spokesperson said.

FBI asks people to turn their routers off after Russian malware detected

“Recent high-profile breaches putting people’s data and security at risk include attacks on smart watches, CCTV cameras and children’s toys.”

It comes after the first ever joint “technical alert” by the UK and US revealed that unsecured routers were being targeted by Russian hackers. They were found spying on the information passing through the routers, harvesting passwords and data.

And earlier this month Russian intelligence services were accused of running 12 named hacking groups behind attacks including those on the Democratic National Committee, a British TV station, the World Anti-Doping Agency and Ukrainian transport.

The Independent understands that toys have not yet been targeted by hackers. “A vulnerability being found doesn’t necessarily mean something has been taken over and there was an exploit,” an NCSC spokesperson said.

“We should be better at holding companies to an account where something is reported and it doesn’t get fixed.”

There are expected to be more than 420 million internet-connected devices in use across the UK within the next three years, but security features are rarely advertised to families investing in smart toys, monitors, virtual assistants and other technology.

“We want to reduce the burden on consumers, it’s not reasonable to expect every parent to be a cyber security expert,” the NCSC spokesperson added.

“What we want to do is encourage companies to manage their products, keep them updated and be honest about how long they’re supported for. And to encourage retailers to consider security when they figure out what to stock. That will over time make it much easier for consumers to buy the right things.”

The code of practice stipulates that devices cannot have default passwords and companies must disclose any security vulnerabilities to authorities, keep software updated and encrypt sensitive data.

Companies HP and Centrica Hive are among the first to have signed up. The government is now “exploring options” for strengthening compliance to the guidelines.

There are questions about how far potential regulation could reach in a global market, or whether manufacturing giants such as China could be compelled to comply with British rules.

David Lidington, a cabinet office minister, said it “cannot be right” that British consumers are left to make sure their own products are safe.

“The challenge is to encourage manufacturers to help consumers by building protections into their design,” he said in a speech at the NCSC’s London headquarters.

“As our digitally connected world has expanded at an extraordinary rate, so too has the scale of vulnerabilities and the frequency of attacks that we face.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in