I thought I’ll share these “MUST DOs” for toy manufacturers looking to bring smart toys to the market. In this video presentation for the RCA Conference, Oren Yomtov, former Israeli Intelligence and Security Researcher at Synack, highlighted some great steps necessary in order to make smart toys more secure.I found this video very helpful. I’ve also included a summary below.
Smart toy = physical toy + any screen (iPad, iPhone, desktop) + game software
Most common way that a toy will communicate with a server is through HTTP.
- APP < HTTP> SERVER – Toy is connected to the internet via an app primarily through Bluetooth connectivity.
- TOY <HTTP> SERVER – Toy is connected to the internet directly via Wi-Fi.
Oren recommends the following best practices:
- HTTPS – To encrypt the communication thus mitigating the middle man attack where a hacker can sniff and alter the communication.
- Certificate validation – Install all the required certificate authorities when using HTTPS.
- Certificate pinning – This method takes the certificates from the server and hardcodes them into the toy so that the server knows it will only talk to that toy.
Prevent the following WEB API attacks by referencing OWASP Top 10
- SQL injection
- Broken authentication
- Path traversal
Mitigate hacker from intercepting a firmware update from the server to the toy in order to prevent hacker from implanting hacked code.
Firmware signing – Before the toy accepts and installs any firmware update, it verifies that it was signed by the manufacturer. This approach could be used in addition to HTTP.
HTTPS – Use HTTPS throughout the entire communication.
Encryption – An extra step to prevent hackers from intercepting the firmware. The approach is to encrypt firmware leaving the server and decrypt the firmware when it gets to the toy.
Bluetooth – Best to use dynamically generated numbers for the pairing process.
Toy (device storage) – Do not expose serial consoles on the hardware. Not securing device storage could expose the following Hardcoded Secrets:
- API Keys (e.g. AWS)
- URLs not meant to be exposed to end users
- Encryption keys
As toys are getting smarter let’s make them even more secure and safer for our kids.