Code of practice issued to manufacturers after security vulnerabilities found in toys including smart bear and talking dinosaur
Children’s toys and baby monitors connected to the internet can be taken over by hackers, the security services have warned.
The National Cyber Security Centre (NCSC) has issued new guidance calling on manufacturers to ensure devices sold to British families are secure.
Vulnerabilities already discovered include one that could let attackers obtain audio from a baby monitor or “inject fake information about the position and temperature” of an infant on an activity tracker.
An international database also lists a “smart toy bear” with a security fault that could be used by hackers to obtain sensitive information, and a talking dinosaur that allows voice, data and video traffic to be intercepted.
The NCSC has demonstrated how an interactive doll could be compromised and used to unlock a wifi-connected front door.
A voluntary code of practice issued by the government urges manufacturers to increase security across the growing “internet of things”.
“Poorly secured devices can threaten individuals’ privacy, compromise their network security, their personal safety and could be exploited as part of large-scale cyberattacks,” a spokesperson said.
“Recent high-profile breaches putting people’s data and security at risk include attacks on smart watches, CCTV cameras and children’s toys.”
It comes after the first ever joint “technical alert” by the UK and US revealed that unsecured routers were being targeted by Russian hackers. They were found spying on the information passing through the routers, harvesting passwords and data.
And earlier this month Russian intelligence services were accused of running 12 named hacking groups behind attacks including those on the Democratic National Committee, a British TV station, the World Anti-Doping Agency and Ukrainian transport.
The Independent understands that toys have not yet been targeted by hackers. “A vulnerability being found doesn’t necessarily mean something has been taken over and there was an exploit,” an NCSC spokesperson said.
“We should be better at holding companies to an account where something is reported and it doesn’t get fixed.”
There are expected to be more than 420 million internet-connected devices in use across the UK within the next three years, but security features are rarely advertised to families investing in smart toys, monitors, virtual assistants and other technology.
“We want to reduce the burden on consumers, it’s not reasonable to expect every parent to be a cyber security expert,” the NCSC spokesperson added.
“What we want to do is encourage companies to manage their products, keep them updated and be honest about how long they’re supported for. And to encourage retailers to consider security when they figure out what to stock. That will over time make it much easier for consumers to buy the right things.”
The code of practice stipulates that devices cannot have default passwords and companies must disclose any security vulnerabilities to authorities, keep software updated and encrypt sensitive data.
Companies HP and Centrica Hive are among the first to have signed up. The government is now “exploring options” for strengthening compliance to the guidelines.
There are questions about how far potential regulation could reach in a global market, or whether manufacturing giants such as China could be compelled to comply with British rules.
David Lidington, a cabinet office minister, said it “cannot be right” that British consumers are left to make sure their own products are safe.
“The challenge is to encourage manufacturers to help consumers by building protections into their design,” he said in a speech at the NCSC’s London headquarters.
“As our digitally connected world has expanded at an extraordinary rate, so too has the scale of vulnerabilities and the frequency of attacks that we face.”