Students hack into kids’ toys and control them

Cyber security expert Susan Gardner and the computing students who carried out the research
Cyber security expert Susan Gardner and the computing students who carried out the research

Cyber security students are warning parents after hacking into interactive kids’ toys and getting them to do and say whatever they wanted.

The Forth Valley College students at the Falkirk campus carried out the research on speaking toys or devices such as talking cuddly toys, robots, baby monitors, SIRI equipped laptops and Q&A devices for toddlers with disturbing findings.

The aim was to test popular children’s toys at the lower end price range that are widely available, can be interconnected via the internet and therefore vulnerable to hackers.

One of the toys the group, which is studying data security, digital forensics and ethical hacking as part of their Level 5 National Progression Award (NPA) course, was the speaking My Friend Freddy bear.

The students were able to make the bear say whatever they wanted it to, which tutor Susan Gardner, an ethical hacker and cyber security expert, said had “frightening” results – including a lack of legal liability from manufacturers.

She said: “We looked closely at a cute, and very popular, speaking bear and it became evident very quickly that we could use this for malicious intent.

“It was very easy to exploit the technology that was housed within the product and we could control the bear in a variety of ways.

“The group did a task to perform reconnaissance on the bear before we unboxed it. We built a profile and tried to figure out as much as we could and also tread through legal agreements.

“Our findings from this research did not particularly shock me, but it did shock my students, especially the ones with children. Students were shocked to quickly find out that the manufacturer was not liable for such potential threats. Students also tested at a range of around 20 metres, and in different rooms, and we could get it to say anything they wanted it to say!

“This was without downloading the recommended app to a smart device, so it really was quite frightening. Our intent is not to scaremonger parents on which toys they may buy their children, but to let them be aware of the security issues that may exist and how to protect them.

“Potentially someone could sit in a car outside in the street and exploit a young child’s toy in their own home. Hopefully we can now make people aware that when they buy these toys – the bear can be bought for under £10 – they need to take steps to secure it themselves as the makers will not take any responsibility for anyone hacking in to it.”

Vivid Toy Group, which is the importers of My Friend Freddy, say the toy is safe to use.

A spokesperson said: “My Friend Freddy is an interactive bear which, when paired with the parent/carers’ smart device via Bluetooth and used with the My Friend Freddy app, offers various interactive activities including stories, learning games and counting exercises.

“My Friend Freddy can only be paired with one device at a time and is safe to use when used in accordance with the user instructions and recommendations.”

Susan Gardner said securing devices in the internet age is massively important to keep yourself and your family safe while using interactive devices.

She added: “As a massive boom in the ‘internet of things’ grows at a rapid rate, securing such devices is very important.

“Exploits such as hacking into people’s homes, to devices such as smart thermostats, cameras and locks etc, are potential threats that are on our doorsteps.

“Our aim as a computing department at FVC is to promote programming and security as these are the essential skills needed to protect to keep up with the growth rates in development.

“We are proud of the courses that we deliver as a department and have lecturers here that have great skill sets to provide leading research in a variety of areas.”

Mrs Gardner, who is an expert in the field of ethical hacking and software development, is optimistic that one of the ways forward is teaching students about the possible dangers and how to combat them. She believes their skills will be much sought after in all industries and workplaces in the near future.

Susan added: “I love the internet and new technology and I believe we should have all these smart devices, but I also believe we should make sure they are secure as they can be. And a little bit awareness can go a long way.

“I have attended various conferences in Cyber Security and attended InfoSec and the general message is the rate things are evolving is exponential and there just isn’t enough cyber security professionals available.

“That is why Forth Valley College (FVC) is one of the sector leading further education facilities in Central Scotland offering specific courses in this field.

“We recognise that highly training computer graduates are going to be essential in the coming years and we provide that higher level training.

“Cyber Security and Ethical Hacking has been taught here at FVC for the last two years and we are teaching what to look out for and how to combat cyber crime. So we focus on the positive rather than the negative aspects of hacking that you hear about in the media.

“This means our graduates will perhaps be able to become valuable assets for toy and home appliance manufacturers – so that innocent people do not have to grin and bear it when their devices have been exploited.”

Forth Valley College Principal Dr Ken Thomson said: “Forth Valley College prides itself on its innovation and cutting edge sector leading departments and it is telling research such as this – carried out by Susan Gardner and her National Progression Award class studying data security, digital forensics and ethical hacking – that is enhancing our reputation.

“We are very proud of the work of our staff and students in the computing section of our creative industries department. It is another example of how we are making learning work here at Forth Valley College.”

For more information on computing courses at Forth Valley College click here or call (01324) 403000.

FVC Tips to protect devices and networks

Establish Parental Controls, control the content that your children can access.

Disable Location Services, location based malware and tracking can be a serious problem.

Mute Any Microphones and Block Any Webcams

Disable In-App Purchases, don’t get caught out if credit cards are linked to your account and can be accessible to your children and someone else.

Disable access to the permissions that can compromise your privacy for example access to your contacts.

Enforce Strong Passwords, using a variety of uppercase, lowercase, symbols and number characters. You should also have a different password for every account you own and don’t use personal information when creating them.

Antivirus and Antimalware Software for your home network, keeping your network up to date makes for more protection.

Maintaining security features on your home network for example only allowing certain devices to access your network.