#InfosecNA: How IoT Gadgets Can Spy on Your Children

At Infosecurity ISACA North America Expo and Conference in New York this week Ken Munroe, CEO of Pen Test Partners, took visitors on what he referred to as a “scary, creepy tour” of IoT-related security issues. Munro explained that a child's doll, marketed as ‘My Friend Cayla,’ is just one example of the growing number of IoT-enabled consumer and commercial products on the market, and the lack of proper security in their designs that leaves many of them vulnerable to attack.

Cayla, for example, is a children’s doll endowed with speech recognition technology that enables it to have a conversation with a child. The big selling point for parents however is Cayla's GPS receiver and wireless module, which allows them to track and listen in on their child. Although Cayla was supposed to be ‘kid-friendly’ and ‘cyber-safe,’ Munroe’s long experience with exploring the vulnerabilities of embedded systems made him suspect otherwise. It wasn't very long before he discovered what he described as “a huge attack surface” that allowed him and his team to bring out another, more sinister, side of Cayla.

Using a simple program that mimicked Cayla's phone app, the Pen Test Partners team were able to access the doll’s web-based portal and change their user status code from 1 to 0, giving them complete administrative access to the doll's features as well as the user information of all the other doll’s owners. From there, they were able to modify the table that prevented Cayla from using 1500 words deemed to be “naughty” which, in Munro's words, “allowed her to swear like a sailor.” Had they chosen to do so, this access would have also allowed them to acce ..

Support the originator by clicking the read the rest link below.