Watchdog group claims smart toys are spying on kids

Some people consider dolls creepy enough, but what if that deceptively cute toy was listening to everything you said and, worse yet, letting creeps speak through it?

According to The Center for Digital Democracy, a pair of smart toys designed to engage with children in new and entertaining ways are rife with security and privacy holes. The watchdog group was so concerned, they filed a complaint with the Federal Trade Commission on Dec. 6 (you can read the full complaint here). A similar one was also filed in Europe by the Norwegian Consumer Council.

“This complaint concerns toys that spy,” reads the complaint, which claims the Genesis Toys’ My Friend Cayla and i-QUE Intelligent Robot can record and collect private conversations and offer no limitations on the collection and use of personal information.

Both toys use voice recognition, internet connectivity and Bluetooth to engage with children in conversational manner and answer questions. The CDD claims they do all of this in wildly insecure and invasive ways.

Both My Friend Cayla and i-QUE use Nuance Communications' voice-recognition platform to listen and respond to queries. On the Genesis Toy site, the manufacturer notes that while “most of Cayla’s conversational features can be accessed offline,” searching for information may require an internet connection.

The promotional video for Cayla encourages children to “ask Cayla almost anything.”

The dolls work in concert with mobile apps. Some questions can be asked directly, but the toys maintain a constant Bluetooth connection to the dolls so they can also react to actions in the app and even appear to identify objects the child taps on on screen.

The CDD takes particular issue with that app and lists all the questions it asks children (or their parents) up front during registration: everything from the child and her parent’s names to their school, and where they live.

While some of the questions children ask the dolls are apparently recorded and sent to Nuance’s servers for parsing, it’s unclear how much of the information is personal in nature. The Genesis Privacy Policy promises to anonymize information.

Nuance, a multibillion-dollar communication company, provides voice-recognition services across multiple industries and has reportedly served as the voice recognition technology behind Apple’s Siri. In fact, most digital voice assistants, like Amazon Alex and Google Assistant, employ some form of speech recognition and connect to the internet to find the answers to queries that have usually been converted to text.

The CDD also claims, however, that My Friend Cayla and i-Que employ Bluetooth in the least secure way possible. Instead of requiring a PIN code to complete pairing between the toy and a smartphone or iPad, “Cayla and i-Que do not employ... authentication mechanisms to establish a Bluetooth connection between the doll and a smartphone or tablet. The dolls do not implement any other security measure to prevent unauthorized Bluetooth pairing.”

Without a pairing notification on the toy or any authentication strategy, anyone with a Bluetooth device could connect to the toys’ open Bluetooth networks, according to the complaint.

“Researchers discovered that by connecting one phone to the doll through the insecure Bluetooth connection and calling that phone with a second phone, they were able to both converse with and covertly listen to conversations collected through the My Friend Cayla and i-Que toys,” reads the FTC complaint.

In other words, someone might be able to use their own smartphone to speak to a child through one of these dolls. The CDD demonstrated this hack in the video above.

"[It's] significant that they went after a small company rather than Mattel for the Hello Dreamhouse, which is similar tech," wrote toy expert and Content Director for the toy recommendation site TTPM when contacted via email. Byrne added that while consumer toy complaints are relatively common, formal complaints are rare. This particular complaint "raises a whole lot of issues, particularly related to COPA and what that covers," wrote Byrne.

These toys, which were released late last year, are still hot holiday items. Mashable contacted Genesis Toys and the CDD about the complaint and will update this post with their comments. The FTC could not comment directly on the filing but a spokesperson told us in an email, “All we can say about how complaints are handled and what might result is that every complaint is taken seriously.”

In the meantime, if these toys are on your holiday list, you might want to double check the Bluetooth setup -- there should always be a pairing authentication strategy -- and talk to your children about which conversations are appropriate to have with their robot toy friends.