nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Smash up your kid's Bluetooth-connected Cayla 'surveillance' doll, Germany urges parents

Or switch it off, bin it, bury it, whatever's necessary

By Thomas Claburn, 17 Feb 2017

Germany's Federal Network Agency, or Bundesnetzagentur, has banned Genesis Toys' Cayla doll as an illegal surveillance device.

"Items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people's privacy," said agency president Jochen Homann in a statement. "This applies in particular to children's toys. The Cayla doll has been banned in Germany."

Calya's deportation and exile comes two months after privacy advocacy groups urged US and EU regulators to deal with the potentially privacy-infringing doll.

The Bluetooth-enabled toy comes with a microphone and is designed to capture children's speech so it can be analyzed using Nuance's speech recognition software, in conjunction with mobile apps.

Privacy and consumer protection groups have complained that the doll has been programmed to advertise to children, lacks security, and provides insufficient privacy guarantees about how captured data and personal information will be used.

Neither Genesis Toys, the Hong Kong-based maker of the doll, nor Nuance responded to requests for comment.

Germany's network watchdog said any toy capable of transmitting signals and surreptitiously recording audio or video without detection is unlawful. The danger, the agency claims, is that anything a child or someone else says in the vicinity of the doll can be transmitted without parents' knowledge. Also, lack of network security could allow the toy to be turned into a listening device, the agency suggests.

UK-based security research group Pen Test Partners has demonstrated that the toy's local database can be hacked. It also suggests the doll is vulnerable to man-in-the-middle attacks, a backdoor attack, and pairing with an arbitrary Bluetooth device. The firm refers to Cayla as "a bluetooth headset, dressed up as a doll."

Along similar lines, other tech-enabled toys, like Mattel's Hello Barbie doll in 2015, have been shown to lack adequate cybersecurity controls.

The agency's rules state that buyers of unlawful espionage devices may be required to destroy them and to provide proof of destruction in the form of a confirmation letter from a waste management facility.

In what might be read as an effort to encourage parents to destroy the doll, the Bundesnetzagentur says it assumes that "parents will take it upon themselves to make sure the doll does not pose a risk." However, its product notice also makes clear that the agency has "no plans at present to instigate any regulatory proceedings against the parents."

So any violence against Cayla is strictly discretionary. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing