Enigma 2020

The Internet of Things (IoT) is a phenomenon that has penetrated the global market in virtually all devices capable of connecting to the internet. Smart Toys are one such emerging device that enables one to have the toy experience and also provide various internet features, such as playing and interacting with one's child. Worldwide, smart toy sales in 2017 reached 5 billion and are expected to exceed 15 billion by 2022 by the IoT marketplace in 2017. Though useful, exposure to the internet also provides exposure to risks and vulnerabilities. Due to a lack of common knowledge of IoT functionality, home IoT devices pose a serious concern for users across the world. Risks are especially concerning for parents in the protection of their families' privacy and security.

Our research investigates smart toy vulnerabilities and performs penetration testing on toy products, presents a summary of the risks & vulnerabilities, and provides users employable mitigation practices to secure the private spaces, data, and members of their home. A Smart Toy was selected as a demonstration model due to its popularity among younger audiences, its brand trust among parents, and its design decisions that make it an overpowered and under-protected target. Acting as attackers, we were able to gain root access to the device, gain access to take pictures, record videos, create 30 GB of hidden storage space, as well as add software for remote control of the device or any other android based application for port scanning, emailing, or other network attacks. Additionally, we changed gameplay to inappropriate games intended to steal credit card data or other sensitive data through the child owner who is told it is all a game. All attacks function without the user knowing that their device has been compromised. As a defense mechanism, we have both developed a user educated threat model for home-based self-mitigation as well as offering actionable recommendations to the manufacturer in order to make the device safer through both—two software update options and one physical modification.