Stop the Planet, I want to get off.
The French data protection agency has issued a formal notice to a biz peddling allegedly insecure toys, just in time for Christmas. The mass-marketed toys in question – Genesis Toys' My Friend Cayla doll and i-Que robot – are Bluetooth-enabled so they can capture and analyse children's speech through an app on – ideally – …
This post has been deleted by its author
Working as I do with French "security experts" I know that they are a long way behind the curve but this is old news. It was reported by Pen Test Partners in January 2015. Pen Test Partners have been meticulously wading through the Internet of Tat over the last three years and have unearthed multiple horrors.
I suspect that the in-depth French research consisted of looking at this page.
I'm also a bit surprised by El Reg here, because it was covered at the time by... El Reg.
Even the Germans have been in on the act.
Yes, but they are far more protected to ensure the huge trove of information they collect only goes to the maker systems. Amazon and Google don't like at all anybody nearby your device can get those data, otherwise how they could fully monetize it? Also, you have to pay Google and Amazon to train people into buying your products, you can't do it yourself just sending some vans around the city.... Genesis didn't really learn the ABC of the data hoarder and electronic behavioral modification.
I often try to imagine when things like this happen about the meeting where they decided to do the thing that has gone wrong. What was discussed? Who would have raised what? Who would have warned others in the company of the mistakes they were making? Who decided to push on regardless? Did people argue?
However in this case all I can picture is three screaming monkeys and two braying donkeys in a room thrashing it out on power point while a barking dog takes notes.
"I often try to imagine when things like this happen about the meeting where they decided to do the thing that has gone wrong."
When the problems with the Cayla doll were first raised, the tester, Ken Munro, raised his findings with Genesis Toys before going public, so the company was well aware of the problems. The company chose to do very little to fix the problems. Given that the doll is cheap to produce and probably very cheap to fix the company's refusal to address the problems shows a cheapskate attitude and a complete lack of concern for anyone else's children.
The problems reported by PTP nearly three years ago persist and are cause for concern. The Cayla doll uses a data dictionary to respond to a child. The database is easily hacked (details given in the PTP security blog) and the doll can be made to give *any* response to a child. The fact that it's a Bluetooth headset permits anyone within range to pair and talk to the child. The original demos of the security flaws (numerous conferences in the UK) had examples of Cayla talking dirty and in the closed sessions examples of how the doll could be used for "grooming". It's worth reading the PTP blog on this product.
The sales website is also cause for concern. Firstly there are no company details given on the site, no way to contact the supplier. That is IMO always a sign of a company that doesn't want to see any complaints from the public. The website also claims that the "safety features" built into the doll protect the child "There are four levels of safeguards in place which makes playing with Cayla much safer than simply handing a tablet to a child" Given that the company knows of the security issues with the device these assurances are false (they are given in greater detail on the company website). These include statements such as "Additional words or phrases can be added to the blocked list via the app. Please note that once a word is added to the blocked list this cannot be undone and the list cannot be viewed." However the blog shows that the list can be easily viewed. There's also an indication that the "blocked list" is drawn up for middle class American Christian sensibilities. Woe betide any married UK gay couple who buy this doll for their kids. According to Cayla they don't exist.
"Moreover, would-be dodgy characters don't even need the Cayla or i-Que app installed, because phones simply identify the doll as a hands-free headset."
"The agency said the toys were in breach of Article 1 of the French Data Protection Act, which provides that technology "shall not violate human identity, human rights, privacy, or individual or public liberties"."
Does that mean Bluetooth headsets are also in breach, if they're just the same tech in a different plastic shell?
Biting the hand that feeds IT © 1998–2020