Login | Register

An Experimental Evaluation of Smart Toys’ Security and Privacy Practices


An Experimental Evaluation of Smart Toys’ Security and Privacy Practices

Mahmoud, Moustafa ORCID: https://orcid.org/0000-0002-4756-5856 (2018) An Experimental Evaluation of Smart Toys’ Security and Privacy Practices. Masters thesis, Concordia University.

[thumbnail of Mahmoud_MASc_S2018.pdf]
Text (application/pdf)
Mahmoud_MASc_S2018.pdf - Accepted Version
Available under License Spectrum Terms of Access.


Smart toys have captured an increasing share of the toy market, and are growing ubiquitous in households with children. These toys can be considered as a subset of Internet of Things (IoT) devices, often containing sensors and artificial intelligence capabilities. They may collect personal information, and frequently have Internet connectivity directly or indirectly through companion apps. Recent studies have found security flaws in many smart toys that have led to serious privacy leaks or allowed tracking a child’s physical location. Some well-publicized discoveries of this nature have led governments around the world to ban some of these toys. To complement recent efforts in analyzing and quantifying security and privacy issues of smart toys, we set out to create two thorough analysis frameworks that are specifically crafted for smart toys. The first framework is designed to analyze legally-binding privacy policies and terms-of-use documentation of smart toys. It is based on a set of privacy-sensitive criteria that we carefully define to systematically evaluate selected privacy aspects of smart toys. We augment our work with a static analysis for the companion Android apps, which are, in most cases, essential for intended functioning of the toys. We use our framework to evaluate a representative set of 11 smart toys, along with 11 companion apps. Our analysis highlights several instances of unnecessary collection of privacy-sensitive information, the use of over-privileged apps, incomplete/lack of information about data storage practices and legal compliance. The proposed framework is a step towards enabling a comparison of smart toys from a privacy perspective, which can be useful to parents, regulatory bodies, and law-makers.
The second framework is used to investigate security and privacy practices - based on experimental analysis - of those specific kinds of IoT devices. In particular, we inspect the real practice of smart toys to determine the personal information they collect and security measures used to protect them. We also investigate potential security and privacy flaws in smart toys that can lead to leakage of private information, or allow an adversary to control the toy to lure, harm, or distress a child. Smart toys pose risks unique to this category of devices, and our work is intended to define these risks and assess a subset of toys against them. We perform a thorough experimental analysis of five smart toys and their companion apps. Our systematic analysis has uncovered that several of these toys may expose children to multiple threats through physical, nearby, or remote access to the toy.
The presented frameworks unite and complement several existing adhoc analyses, and help comprehensive evaluation of other smart toys.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Thesis (Masters)
Authors:Mahmoud, Moustafa
Institution:Concordia University
Degree Name:M.A. Sc.
Program:Information Systems Security
Date:20 March 2018
Thesis Supervisor(s):Youssef, Amr
Keywords:IoT - Smart Toys - Security - Privacy
ID Code:983590
Deposited By: Moustafa Mahmoud
Deposited On:11 Jun 2018 03:06
Last Modified:11 Jun 2018 03:06
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top