Security flaws in a doll have sparked concern regarding the safety of smart toys. TechWatch’s Emily McDaid spoke to CSIT’s Dr Ciara Rafferty to find out more.
Researchers at Queen’s University Belfast’s Centre for Secure Information Technologies (CSIT) have been researching the security of smart toys.
“The My Princess Cayla Doll is hard to come by now, because its security flaws have been publicised across the globe,” says lecturer Dr Ciara Rafferty from CSIT. Rafferty is an expert in fully homomorphic encryption, an important technique to enable computing on encrypted data.
As a project in hardware security, Rafferty oversaw the work of an intern who effectively tried to “break into the doll”. The doll comes with embedded speaker, microphone and Bluetooth connectivity, enabling it to connect to the internet via a tethered smartphone and app.
She explains: “His project was intended to last for eight weeks, but he did it in three days. Because there was so little security, it was very easy to exploit.”
What sort of hacking? Rafferty says: “You can access the app and rewrite the stories that the doll tells, so it will recount any text that you type in. The doll’s Bluetooth connection can be exploited and, on top of that, the app is insecure.”
The doll gained so much notoriety, the German government actually “classified it as a concealed espionage device, because it can listen to you or your kids”, she says. German parents were instructed to destroy the doll, reports the BBC.
The real fear here is not that a Cayla doll will infiltrate your home, but that any kids’ toy with connectivity could be vulnerable. Do toy manufacturers have the ability to put potentially expensive security features in inexpensive dolls, robots and other toys?
Rafferty says: “A report by the Children’s Commissioner in England discussed who sees the data you put online about your children. The amount of data people are posting about their children, through Facebook or Instagram for instance, can be staggering. Teachers also need to be retrained on this topic.
“Which? magazine posted tips for parents about smart toys.”
Overall, do you think internet of things (IoT) devices are making kids smarter? “You don’t want to scare people. I think anything to interest and encourage children to interact is a good thing. Working in technology, you can teach kids from an early age how to use it safely – because you can’t avoid technology,” Rafferty concludes.
When she’s not hacking smart toys, Rafferty’s research in homomorphic encryption is breaking other sorts of ground. “It’s fascinating to see how homomorphic encryption can be used in data analytics – fintech, for instance. There are untrusted cloud service providers who store sensitive information in the cloud. This will enable encrypted analysis in the cloud; it will be a killer app,” she explains.
Rafferty’s team came up with a hardware solution that was “105 times faster than the software version”.
I remark that it sounds like a good investment area, and Rafferty notes a use case where this could help. “If you consider the online DNA and genome-testing services that are being advertised in the mass media now, how is that data being held in the cloud? It’s not like giving away what your favourite colour is – these providers hold your actual DNA, the very information that describes you.”
But, she notes, there are risks with sharing such personal data. “If fully homomorphic encryption could be used in this instance, a user could upload encrypted data to the cloud, take advantage of the cloud computations and download results, without revealing sensitive information to the cloud service provider. However, we still need to further research homomorphic encryption schemes to enable sufficient performance for real-world use cases.”
Rafferty says there are many solutions, either using homomorphic encryption to compute on data without decrypting it, identity-based encryption, or access control-based methods.
Information for parents, and government tips on smart toys can be found here.
By Emily McDaid, editor, TechWatch
A version of this article originally appeared on TechWatch