Vulnerabilities in EU connected toys

  • December 23, 2024
  • William Payne

Children’s smart toys being sold in the European Union are still vulnerable to a range of cyberattacks, despite efforts to tighten regulation and enforcement through the EU Cyber Resilience Act, according to a report published by the Spanish Government.

Spanish Government researchers found that connected toys sold in Europe suffer insecure default settings, weak security update procedures and vulnerable associated mobile apps. These vulnerabilities could allow attackers to exploit vulnerabilities and take remote control of the toy and other devices in the home.

At its publication, researchers at Spain’s National Institute for Cybersecurity (INCIBE) who authored the report, carried out a demonstration of a cyberattack on a connected toy in front of Spain’s Minister for Digital Transformation and Public Function, Óscar López, and the Secretary of State for Telecommunications, Digital Infrastructure and Digital Security, Antonio Hernando.

In the live demonstration, the researchers compromised a remote-controlled toy car and used it as a bridge to access a range of other devices on the home network.

The report by INCIBE, an agency of Spain’s Ministry of Digital Transformation and the Public Function, is the first comprehensive analysis of the cyber threat landscape carried out by a EU body in accordance with the criteria of the EU Cyber Resiliance Act (CRA).

The EU Cyber Resilience Act (CRA) entered into force in December 2024 and has a three-year transition and adoption period. Compliance is mandatory for manufacturers and distributors of products placed on the EU market. Member states will have to inspect between 3% and 10% of the products on the market, depending on the risk, criticality of the product, category and the volume on the market.

Spain, through INCIBE, has become the first European country to carry out this analysis, in the current voluntary phase.

The event, held at INCIBE’s head office in León, was attended by the Minister for Digital Transformation and Public Function, Óscar López, and the Secretary of State for Telecommunications, Digital Infrastructure and Digital Security, Antonio Hernando.

INCIBE selected 26 smart toys among the most popular sold on online platforms. Each toy is capable of handling user data: video or audio recording, Bluetooth or Wi-Fi connection or mobile application for device management.

The study identified issues such as insecure default settings, which may allow insecure transmission of sensitive data such as passwords, weaknesses in the implementation of security updates or vulnerable mobile applications, which could allow exploitation of vulnerabilities and even remote control of the device by attackers, have been found in some products.

They assessed attack vectors and identified and assessed eight key areas. They divided the toys according to their connection technologies and exposure surfaces: vulnerability analysis and update capabilities for remediation, examination of the mobile and/or desktop applications required for the toy’s functionalities, strength analysis against common attacks, and analysis of the security of physical and wireless connections.

The researchers have drawn up proposals for improvement, including suggestions for households and manufacturers to strengthen cybersecurity and digital trust, aligned with the EU Cyber Resilience Act (CRA).

Minister for Digital Transformation and Public Function, Óscar López said: “With this report, Spain reinforces its leadership in the implementation of the Cyber Resilience Act, not only by complying with European standards, but also by anticipating their requirements. Connected toys are an example of how technology can be an ally of leisure and learning, as long as they are used safely. This joint effort with manufacturers and consumers is essential to protect especially the most vulnerable, our children.”