Following the news of security concerns behind My Friend Cayla, David Emm, Principal Security Researcher at Kaspersky Lab commented below.
David Emm, Principal Security Researcher at Kaspersky Lab:
“My Friend Cayla is hitting the headlines, following a call for parents to destroy the doll by Germany’s Federal Network Agency. The doll is equipped with a Bluetooth chip to enable it to answer questions through the Internet. However, it also asks for sensitive information, such as hometown, parent’s and user’s name, and school. Concerns about the doll therefore centre mainly around privacy – the fact that secrets entrusted to the doll by a child could be accessed by a hacker.
This of course isn’t the first doll to cause security concerns. In 2015, US security expert Matt Jakubowski was able to extract the Wi-Fi network name, internal MAC address, account IDs and MP3 files from Mattel’s interactive ‘Hello Barbie’ doll. This is enough to gain access to the Hello Barbie account and home network – thereby compromising the wider security of any family of a child using the doll.
We live in a connected world, where even our children’s toys could become the means for personal data being captured by attackers. It’s really important that, when considering such toys as gifts, parents look beyond the fun aspect of a toy and consider the impact it might have on their child and the wider family.
However, there is also a role for the manufacturers of connected products and the security industry. We need to work together to ensure that strong protection and patch management is designed-in from the very start. Once a product is on the market, it is already too late.”