Visible to the public Security & Privacy in Smart Toys

TitleSecurity & Privacy in Smart Toys
Publication TypeConference Paper
Year of Publication2017
AuthorsValente, Junia, Cardenas, Alvaro A.
Conference NameProceedings of the 2017 Workshop on Internet of Things Security and Privacy
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-5396-0
Keywordscommand injection attacks, composability, Metrics, pubcrawl, resilience, Resiliency

We analyze the security practices of three smart toys that communicate with children through voice commands. We show the general communication architecture, and some general security and privacy practices by each of the devices. Then we focus on the analysis of one particular toy, and show how attackers can decrypt communications to and from a target device, and perhaps more worryingly, the attackers can also inject audio into the toy so the children listens to any arbitrary audio file the attacker sends to the toy. This last attack raises new safety concerns that manufacturers of smart toys should prevent.

Citation Keyvalente_security_2017