Abstract

Smart toys have captured an increasing share of the toy market, and are growing ubiquitous in households with children. These toys can be considered as a subset of Internet of Things (IoT) devices, often containing sensors and artificial intelligence capabilities. They may collect personal information, and frequently have Internet connectivity directly or indirectly through companion apps. Recent studies have found security flaws in many smart toys that have led to serious privacy leaks or allowed tracking a child’s physical location. Some well-publicized discoveries of this nature have led governments around the world to ban some of these toys. To complement recent efforts in analyzing and quantifying security and privacy issues of smart toys, we set out to create two thorough analysis frameworks that are specifically crafted for smart toys. The first framework is designed to analyze legally-binding privacy policies and terms-of-use documentation of smart toys. It is based on a set of privacy-sensitive criteria that we carefully define to systematically evaluate selected privacy aspects of smart toys. We augment our work with a static analysis for the companion Android apps, which are, in most cases, essential for intended functioning of the toys. We use our framework to evaluate a representative set of 11 smart toys, along with 11 companion apps. Our analysis highlights several instances of unnecessary collection of privacy-sensitive information, the use of over-privileged apps, incomplete/lack of information about data storage practices and legal compliance. The proposed framework is a step towards enabling a comparison of smart toys from a privacy perspective, which can be useful to parents, regulatory bodies, and law-makers.
The second framework is used to investigate security and privacy practices - based on experimental analysis - of those specific kinds of IoT devices. In particular, we inspect the real practice of smart toys to determine the personal information they collect and security measures used to protect them. We also investigate potential security and privacy flaws in smart toys that can lead to leakage of private information, or allow an adversary to control the toy to lure, harm, or distress a child. Smart toys pose risks unique to this category of devices, and our work is intended to define these risks and assess a subset of toys against them. We perform a thorough experimental analysis of five smart toys and their companion apps. Our systematic analysis has uncovered that several of these toys may expose children to multiple threats through physical, nearby, or remote access to the toy.
The presented frameworks unite and complement several existing adhoc analyses, and help comprehensive evaluation of other smart toys.