Commjacking a Child’s World

Dror LiwerBlog

We know the dangers of using laptops, smartphones and tablets on unsecure WiFi. And now we see that commjackers can infiltrate our lives through other WiFi-enabled products like cars and TVs.

Kids’ toys and baby products bring commjackers right into the house, creating a terrifying reality where strangers can spy on the average family.


Hello Barbie

Barbie, the mainstay blonde doll in popular culture for more than 50 years, has been through quite the revolution in the past year. Before Barbie was recently redesigned to include a variety of body types, hair textures and skin colors, she was revealed to be intelligent. The artificial intelligence Barbie, called Hello Barbie, debuted in September as a new toy that can have a conversation.

When a child pushes Barbie’s belt and asks a question or tells her a story, the audio is encrypted and transmitted via WiFi to computer servers at ToyTalk, the company that collaborated with Mattel to bring Barbie to life. Speech-recognition software converts the audio signal into a text file that is analyzed for the appropriate response and sent back to Barbie for her to use as a reply. All this happens in less than a second.

While this is all well and good for innovation in A.I. and children’s toys, it is a golden opportunity for commjackers. Hello Barbie is capable of being hacked. Once a commjacker has gained access to the doll, all privacy features can be overridden and a home’s WiFi network, over which Barbie transmits her information, can be commjacked. Commjackers can take advantage of a toy to steal sensitive personal data from adults and children alike.

Privacy advocates also worry that recording and storing children’s conversations is a dangerous endeavor. Mattel and ToyTalk assure parents all files are encrypted and used only for speech-recognition purposes, but many see intimate conversations as a point of potential exploitation.


Goodnight Baby

Many years before children are interested in playing with Barbie, commjackers have the opportunity to enter the home through an essential parenting technology. Traditional baby monitors use a radio frequency to listen, within a short range of distance, to a baby. Advanced baby monitors use Internet-connected cameras to pass a live feed of baby’s activity over a WiFi network to smartphones.

But parents aren’t the only ones getting a view. [Tweet “Commjackers hack into monitors to speak to children, watch the live feed or spy on a family.”] A recent security test of the most popular monitors on the market revealed 8 out of 9 failed and the ninth one barely passed. Security researcher Mark Stanislav of Rapid 7 said, “Every camera had one hidden account that a consumer can’t change because it’s hard coded or not easily accessible. Whether intended for admin or support, it gives an outsider backdoor access to the camera.”

The flaws in the monitors, such as default passwords, lack of encryption or open ports —considered trivial in the security world—create easy gateways for commjackers to gain control of a home network. And just like Hello Barbie, the wealth of information to be stolen from a home network is a serious situation.

Parents should be aware seemingly innocent technology is a gateway for prime commjacking. A toy that can converse and encourage children is great for aiding childhood development. Most parents can’t imagine raising an infant without a monitor. But the reality is that these devices have risks.

Quoting researcher, Brian Krebbs: “Before purchasing an “Internet of things” (IoT) device — a thermostat, camera or appliance made to be remotely accessed and/or controlled over the Internet — consider whether you can realistically care for and feed the security needs of yet another IoT thing. After all, there is a good chance your newly adopted IoT puppy will be:

  • chewing holes in your network defenses;
  • gnawing open new critical security weaknesses;
  • bred by a vendor that seldom and belatedly patches;
  • tough to wrangle down and patch