Security and Privacy Analyses of Internet of Things Children's Toys

TL;DR

This study examines the security and privacy flaws in three popular IoT children's toys, revealing undisclosed vulnerabilities that breach privacy regulations and highlight the need for better security practices in IoT toy development.

Contribution

The paper provides a detailed security and privacy analysis of commercial IoT children's toys, uncovering vulnerabilities and regulatory violations through static and dynamic testing methods.

Findings

Discovered undisclosed vulnerabilities violating COPPA

Identified security flaws in network communications

Highlighted disconnect between developers and security best practices

Abstract

This paper investigates the security and privacy of Internet-connected children's smart toys through case studies of three commercially-available products. We conduct network and application vulnerability analyses of each toy using static and dynamic analysis techniques, including application binary decompilation and network monitoring. We discover several publicly undisclosed vulnerabilities that violate the Children's Online Privacy Protection Rule (COPPA) as well as the toys' individual privacy policies. These vulnerabilities, especially security flaws in network communications with first-party servers, are indicative of a disconnect between many IoT toy developers and security and privacy best practices despite increased attention to Internet-connected toy hacking risks.