Great Aunt Mabel’s FBI checklist for smart gift buying
via Flickr © Sarah_Ackerman (CC BY 2.0)
- The FBI puts out a consumer warning on smart toys
- With cameras, microphones and internet access these things are a danger
- Recommends long list of unlikely to be followed safeguards
When it’s not looking into things like presidential collusion with the Russians, the FBI keeps itself busy investigating a range of threats to the American people. And it’s quite rightly focused on internet-connected toys, sending out an official ‘Consumer Notice’ warning of the dangers and recommending protective steps. The trouble is the steps are so involved and so, well, techy, that they won’t be taken up by 99.99 (pick your own number of nines) per cent of any population.
Smart toys, says the FBI, ‘could’ present privacy and contact concerns for children. These toys typically contain sensors, microphones, cameras and even data storage components which could be programmed to undertake speech recognition and fix a device’s location all the while backhauling the information into the Internet, thus blowing privacy and at worst, putting children at risk ie at risk of grooming and/or abduction.
And not just toys. With the apparent popularity of the digital assistant (which typically stays live and listening to hear it’s name called), it’s not just children that might be in the privacy-busting firing line. These adult toys too open up the possibility that background chatter could easily be processed and speech recognised. That leaves the way open to things like credit card abuse, burglary and a whole range of high crimes and misdemeanors.
When you add toys with microphones AND cameras then we’re really in trouble. You only need to add a small dollop of imagination to factor machine learning into the recipe and you have an autocrime kit. Reading out a bank password (or keeping it pinned to the side of the monitor) could soon result in a sub-second dip into your bank account.
What’s interesting is the scope of the counter-criminal measures recommended by the FBI. Like those old car manuals that recommended checking tyre pressure, oil level and radiator coolant before every drive, the FBI has come up with an exhaustive (not to say, exhausting) set of countermeasures. It urges...
“Consumers should examine toy company user agreement disclosures and privacy practices, and should know where their family’s personal data is sent and stored, including if it’s sent to third-party services. Security safeguards for these toys can be overlooked in the rush to market them and to make them easy to use. Consumers should perform online research of these products for any known issues that have been identified by security researchers or in consumer reports.”
As if that sort of extreme vetting is going to happen at the height of the gift-buying season (or at any other time). Your Great Aunt Mabel examining privacy practices and doing a bit of online research for due diligence?
Do me a favour.
The FBI goes on to outline why the toys are vulnerable
“Data collected from interactions or conversations between children and toys are typically sent and stored by the manufacturer or developer via server or cloud service. In some cases, it is also collected by third-party companies who manage the voice recognition software used in the toys. Voice recordings, toy Web application (parent app) passwords, home addresses, Wi-Fi information, or sensitive personal data could be exposed if the security of the data is not sufficiently protected with the proper use of digital certificates and encryption when it is being transmitted or stored.”
It then helpfully lays out a set of 10 detailed steps that Great Aunt Mabel should take before shoving her credit card into the reader. They include:
- Research for any known reported security issues online
- Only connect and use toys in environments with trusted and secured Wi-Fi Internet access
- Research the toy’s Internet and device connection security measures
- Use authentication when pairing the device with Bluetooth (via PIN code or password)
- Use encryption when transmitting data from the toy to the Wi-Fi access point and to the server or cloud
- Research if your toys can receive firmware and/or software updates and security patches
And another six in similar vein.
If that doesn’t put Aunt Mabel off buying anything like a smart toy after reading just the first step then she needs to seek urgent psychiatric attention.
Of course the FBI is absolutely right. But clearly the answer isn’t to issue guidelines to individual consumers, it’s to push for proper privacy regulation and inspection of all products to ensure they conform. Plus the establishment of trusted data repositories where any generated data must be sifted or deposited to try to prevent widespread abuse. A few guidelines won’t do anything to reduce the threat.
But then, by showing the counter-measure requirement, maybe a change in policy is what the FBI had in mind all along.