Wi-fi gadgets are ‘Trojan horses’

Electronic devices that connect to wi-fi — including toys, kettles and fridges — should be tested to see if they withstand hacking attempts or else be banned from sale, a Scottish academic says.

Bill Buchanan, a professor in the School of Computing at Edinburgh Napier University, has raised fresh concerns that many wi-fi-enabled dolls and household gadgets are vulnerable to hacking attacks.

He warns that the devices can be used as gateways to access a home’s wi-fi network to eavesdrop and capture personal information such as bank details, credit card numbers and security PINs.

Buchanan said the growing popularity of wi-fi-enabled talking toys is of particular concern after his team took control of a device and was able to “speak” through it. He said that such devices could easily be hijacked by paedophiles to groom children.

“It’s worrying,” said Buchanan. “More and more toys have wi-fi connectivity but these can be hacked within 20 minutes using standard computer software that anyone can get their hands on. Parents need to know about the risks these devices can pose.”

Buchanan said his team have demonstrated that an electronic device can be quickly hacked with software that translates the peaks and troughs of their power output into code that in turn is used to crack the encryption key.

Once acquired by a hacker, network traffic can be monitored. “This code is like the key to your house — it unlocks the front door,” said Buchanan.

Alongside his research on cracking encryption keys from electrical power analysis — defined as side-channel analysis — Buchanan regularly demonstrates hacking into My Friend Cayla, the “world’s first ‘live’ interactive doll”, to control the toy’s voice output.

“It’s quite shocking that this toy has been allowed into the UK,” he said. “These devices are in our homes and it’s our kids that are in danger.

“We would like to see a kitemark for any electronic toy to make sure it can stand up to hacking attempts.”

On Friday, Scott Steedman, director of standards at the British Standards Institution, said the body is looking to develop kitemarks for internet-connected devices.

Household gadgets that can be controlled remotely via a smartphone app include kettles, enabling the user to boil water to make the morning cup of tea or coffee, while they are still in bed.

“Almost everything that you can think of will be connected to the internet. We are at the beginning of a revolution and there will need to be a suite of standards — code of practices, guidance and technical tests — to help provide assurances that a product is safe from cyber-attacks and malicious misuse,” said Dr Steedman. “We very much want to help shape that debate at a national and international level.”

Buchanan’s comments follow claims that Britain’s intelligence agencies could take over children’s toys and use them to spy on suspects.

MPs working on the draft Investigatory Powers Bill were told recently that anything connected to the internet could “in theory” be hacked into.

A spokesman for Vivid , the UK distributor of the Cayla doll, said: “We are satisfied the products are perfectly safe.

“There is no potential negative impact to a user if the products are used as per the issued guidance.

“In the two years since the products have been on the market, there has been no associated negative consumer feedback.”