Thumbnail image

Teddy Sees You

Have you ever gotten creeped out by dolls? How about teddy bears? If it has, this is going to make that fear even greater.

We have smart devices around us everywhere. Many of such smart devices are equipped with sensors such as accelerometers and microphones. Whereas some sensor may be harmless to your privacy, like an ambient light sensor, a microphone is another story. Your phone might be recording you right now for all that you know.

When smart devices are put into everything, the importance of cyber security and privacy increases. Some companies, however, failed to realise this. And the consumer takes most of the blow for this.

Consider the following case:

In Germany, the regulators aka. Bundesnetzagentur banned a “smart doll” with the name “Cayla” because of privacy concerns after it was shown to be hackable via insecure Bluetooth connections. In practice, that means that potential predators could connect to “Cayla” from afar.

This doll was marketed towards children as a “Barbie 2.0”. Innovation is all well and good, but with innovation and technology comes responsibility. To make their servers and product secure should be crux, but sadly it is not. Luckily, some countries have regulations to prevent such dangerous products to be given to children.

“Law Down Under” states:

Any toy that is capable of transmitting signals that can be used to record images or sound without detection is banned in Germany. The Bundesnetzagentur is the authority responsible for enforcing the ban on surveillance devices.

That seems sensible in this case. I am usually against banning whatever it is, and leave it up to the consumers to decide what is best for themselves. However, this is a serious breach of privacy and security. Devices that are meant for children should be incredibly safe. We already test them for dangerous substances such as toxic plasticisers, among them BPA and phthalates. Why should we do any different with things that can lead to people or organisations spying on your kids or your whole family?

“Cayla” is not the first to gain criticism for breach of privacy or being potential unsafe for children. The app “Talking Angela” had a lot of problems where predators talked to minors through. Mattel’s talking Hello Barbie doll also raised concern over children’s privacy because of its microphone and Wi-Fi connectivity. This could be used to target children with ads, for example, but that data could be sold further on to third-parties.

There was also a loose lipped Teddy bear that leaked 2 million recordings from both parents and children.

“Motherboard” states:

Since Christmas day of last year and at least until the first week of January, Spiral Toys left customer data of its CloudPets brand on a database that wasn’t behind a firewall or password-protected. The MongoDB was easy to find using Shodan, a search engine makes it easy to find unprotected websites and servers, according to several security researchers who found and inspected the data.

And therefore we should not trust a toy company with our potentially intimate information. I use the search engine Shodan myself, and there is a lot of unsecure information from places you would not believe. Shodan is just a simple tool that requires almost no knowledge of hacking, and even an unexperienced user can utilise it to find sensitive data. Then you may think about what a security specialist, especially if said person has a malicious intent, can do with that information.

The security specialist Bruce Schneier has made me especially wary about who I share my private information with. You can check out his content at

So, when I say, “Teddy sees you”, I am not joking. He really is.


Motherboard | New York Daily News | Post Crescent | Law Down Under