Eyes in Your Child's Bedroom: Exploiting Child Data Risks with Smart Toys

Tuesday, January 28, 2020 - 4:30 pm5:00 pm

Sanchari Das, Ph.D. Candidate and Information Security Engineer


The Internet of Things (IoT) is a phenomenon that has penetrated the global market in virtually all devices capable of connecting to the internet. Smart Toys are one such emerging device that enables one to have the toy experience and also provide various internet features, such as playing and interacting with one's child. Worldwide, smart toy sales in 2017 reached 5 billion and are expected to exceed 15 billion by 2022 by the IoT marketplace in 2017. Though useful, exposure to the internet also provides exposure to risks and vulnerabilities. Due to a lack of common knowledge of IoT functionality, home IoT devices pose a serious concern for users across the world. Risks are especially concerning for parents in the protection of their families' privacy and security.

Our research investigates smart toy vulnerabilities and performs penetration testing on toy products, presents a summary of the risks & vulnerabilities, and provides users employable mitigation practices to secure the private spaces, data, and members of their home. A Smart Toy was selected as a demonstration model due to its popularity among younger audiences, its brand trust among parents, and its design decisions that make it an overpowered and under-protected target. Acting as attackers, we were able to gain root access to the device, gain access to take pictures, record videos, create 30 GB of hidden storage space, as well as add software for remote control of the device or any other android based application for port scanning, emailing, or other network attacks. Additionally, we changed gameplay to inappropriate games intended to steal credit card data or other sensitive data through the child owner who is told it is all a game. All attacks function without the user knowing that their device has been compromised. As a defense mechanism, we have both developed a user educated threat model for home-based self-mitigation as well as offering actionable recommendations to the manufacturer in order to make the device safer through both—two software update options and one physical modification.

Sanchari Das, Ph.D. Candidate and Information Security Engineer

Sanchari Das is a Ph.D. Candidate in the School of Informatics, Computing, and Engineering at Indiana University Bloomington. A security track researcher, her research interests include multi-factor authentication, usable security and privacy, user experience, social media research, third party privacy, user risk perception, online harassment, risk communication, and human-computer interaction.

Currently working for American Express as an Information Security Engineer and Project Manager for the Identity and Access Management Team (Identity Services), she also took the role of a Global Privacy Adviser at XRSI.org. She has also presented her research work at several conferences such as RSA, BlackHat, Financial Cryptography, HAISA, SOUPS, SM&S.

She has received dual Masters degrees from Jadavpur University, Kolkata, India (Computer Applications) and Indiana University Bloomington (MS in Informatics). She received her Bachelors from The Heritage Academy, Kolkata, India and was a Gold-medalist in her cohort.

She has also previously worked at Infosys Limited and HCL Technologies.

@conference {244726,
author = {Sanchari Das},
title = {Eyes in Your Child{\textquoteright}s Bedroom: Exploiting Child Data Risks with Smart Toys},
year = {2020},
address = {San Francisco, CA},
publisher = {USENIX Association},
month = jan

Presentation Video