In the past the only toys that could speak and hear were those in the movies. However, with the Internet of Things, fantasy is now becoming reality, and a recent hack shown this month by the National Cyber Security Centre demonstrated what might just happen when good toys go bad.

“My friend Cayla” first became available in 2014, as a Bluetooth enabled e-doll that comes equipped with a microphone and Internet connectivity. Cayla is interacting with children by capturing their speech and analysing it with voice recognition software, in conjunction with mobile apps. The result is a toy that can talk, play games, tell stories, as well as respond to questions about animals, countries and famous people; every kids dream!

The problem is that Cayla allows for arbitrary connectivity with any Bluetooth-enabled device within reach, which essentially makes the toy a remote microphone and audio recorder; albeit disguised as a cute looking doll. Even a lightweight protection that limits connectivity to one device at a time can easily be subverted, because once a legitimate device (such as the child’s/parent’s tablet or mobile phone) goes out of range or runs out of battery, a would-be attacker is able to connect to the toy and play or record audio. In fact, because the toy can be used to illegally spy on children, as of February 2017, Germany’s Federal Network Agency classified Cayla as an “illegal espionage apparatus”.

This is not the first time Cayla has been in the limelight. Security researcher Tim Medin and penetration company Pen Test Partners have both revealed vulnerabilities with the toy, from listening in on conversations to forcing the doll to repeat expletives (by using the “My friend Cayla app” with a rooted Android device). However, the NCSC have taken this one step further by demonstrating how e-dolls such as Cayla can lead to cyber-physical threat in the smart home; exploiting the dolls speech playback functionality to open a doors smart lock.

Whilst the NCSC have not given specific details on how they executed the attack, it is in fact fairly simple to carry out on a number of smart lock devices. For example, depending on whether a doors smart lock has voice-recognition software or is controlled via an app, Cayla provides the perfect medium for circumventing both in exactly the same way. In the first figure below, an attacker aiming to gain access to a smart home stealthily uses Cayla to record occupants speech in the local vicinity (when nobody is connected); ex-filtrating the necessary information for communicating directly with a voice-controlled smart lock (step 1). Next, the attacker plays back the recording when access to the doll is available and the home’s occupants are away (step 2).


In figure two, an attacker simply uses Cayla to playback an audio file that uses the standard app voice commands (which are typically available in the manual!) to open a smart lock which is controlled via the Amazon Echo Alexa assistant (Google Home would be equally useful here …)


Cayla is not the only toy that is vulnerable to hackers. Similar concerns have also been raised about i-Que toy and the new Hello Barbie. So, the age of internet connected toys is most definitely upon us, but what can we do to ensure that these toys are adequately protected, without compromising the safety of the children and environment in which they are used?

Below are a number of best practice tips that can help provide protection for e-toys, whether in the smart home or more generally for the children that use them.

  • Always check whether the toy uses encryption for network communication (whether WiFi, Bluetooth, 3/4G or otherwise) and enable it if not turned on by default. If such encryption is not available, all data between the toy and network enabled devices can be viewed by anyone in the vicinity of the devices and potentially intercepted. Therefore, ask product suppliers if unsure, and avoid purchasing toys that provide Internet connectivity without encrypted connections.
  • Make sure to enable username and password authentication to the toy if available (e.g., to mediate remote connections via Bluetooth or the Internet in the case of the Cayla doll); changing any default credentials to a suitably secure alphanumeric format (more on that at and
  • Ensure Internet-enabled and wireless toys are switched off at night, or when leaving the house unattended. For unattended children, make a conscious decision whether to turn off this functionality if there are privacy concerns.
  • When using the toys accompanying apps, ensure they are installed with least-privileges. That is, avoid installing an app that asks for administrator access to your device, or where the app requests access to device functionality which is not contextually relevant (e.g., the ability to send SMS messages, which could be used to send messages to Premium numbers)
  • Similarly, avoid installing apps on a non-standard “rooted” or “jail-broken” device, as this increases exposure of the toys application to exploitation by malware that may target your device.
  • Lastly, if any anomalous or strange behaviour is observed from the toy make sure to report this as soon as possible to the product’s suppliers or relevant security companies; attacks often go unreported for long periods which delay the development of software and security patches.

Recently in the news:

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: