#Toyfail

6. desember, 2016

An analysis of consumer and privacy issues in three internet-connected toys

As a part of a larger project centering on the IoT, the Norwegian Consumer Council (NCC) has looked at the terms and conditions and technical features of three connected toys. By virtue of being targeted toward children, an especially vulnerable group of consumers, issues related to consumer rights, security, and privacy was highlighted through the NCC’s study.

In addition to analyzing legal documents, the NCC commissioned a technical report on the actual functionalities of the toys and companion apps. In this technical study, it was discovered that two of the toys have practically no embedded security. This means that anyone may gain access to the microphone and speakers within the toys, without requiring physical access to the products. This is a serious security flaw, which should never have been present in the toys in the
first place.

Furthermore, the tests found evidence that voice data is being transferred to a company in the US, who also specialize in collecting biometric data such as voice-fingerprinting. Finally, it was revealed that two of the toys are embedded with pre-programmed phrases endorsing different commercial products, which practically constitutes product-placement within the toys themselves.