IoT Security Risks: Drones, Vibrators, and Kids’ Toys Are Still Vulnerable to Hacking

A simple project to study compromised security cameras drew a trio of researchers deep into an investigation of the security risks of today’s connected devices. After they figured out how to bypass the camera’s authentication system and access its feed, they wondered what other devices in the growing Internet of Things (IoT) might also be vulnerable to hacking. Their list—which includes drones, children’s toys, and vibrators—raises serious concerns about the security of IoT devices.

“Our initial goal was to see if these systems were protecting the privacy of their users, but as we dug deeper into how these devices worked and how they interacted with their users, we realized that abuse was a new and unexplored possibility,” explains Alvaro Cardenas of the University of California, Santa Cruz.

In one scenario, his team showed that it’s possible to hack a children’s toy, called CogniToys Dino. In this case, an attacker can access sensitive information the child has shared with the toy, or even communicate with the child through the toy.

Under a normal situation, children talk to Dino, which responds with surprisingly realistic answers. To achieve this effect, audio of the child’s voice is transmitted and stored in the cloud.

To assess the toy’s vulnerabilities to hacking, the researchers bought a Dino and began analyzing the encrypted Real-Time Transport Protocol (RTP) traffic, which transmits audio between the Dino device and cloud. They noticed repeated patterns in the encrypted traffic and suspected that these patterns contained information about the key and crypto algorithm used to encrypt the traffic. To confirm this, they bought a second Dino, which exhibited the same patterns.

“Since the traffic was encrypted, that could only mean one thing—the Dino devices were using a weak mode of encryption and the same set of hard-coded keys to encrypt/decrypt traffic,” explains Cardenas. “Since the Dinos used the same keys, we could use one of the Dinos to decrypt the network traffic the other was sending, without us even knowing the keys being used, only their identifiers.”

By doing so, a hacker can access the audio recordings that a child shares with the toy, which could include sensitive information such as the child’s age or address. But Cardenas points to a more severe potential abuse of power—using the encryption keys, a hacker can impose his or her own voice recording into an interaction between a child and the toy, all the while sounding like Dino.

In another series of experiments, the researchers explored ways to hack vibrators. Vibrators that can be controlled remotely by apps are growing in popularity, and can be used, for example, between couples in long-distance relationships.

When attempting to intercept data transmissions between a phone app used to control the vibrator Vibease, the researchers found unencrypted information that allows a hacker to gain the username and password of a trusted partner—which could allow a hacker to impersonate an intimate partner and control the vibrator remotely. [READ MORE]