Security researcher discovers vulnerability in talking toy dolls

That doll just said what?! 

Vivid Toy’s best-selling doll My Friend Cayla has vulnerabilities which can be exploited by malicious hackers to make the talking toy say what they want remotely, which was first revealed by security researcher Ken Munro of Pen Test Partners in a recent interview with BBC News. While the actual flaw has not been disclosed, it is known to be in the pairing of Cayla with the mobile device.


Cayla may appear to be like any other doll on the market today — 18” tall, blond hair, jean jacket, graphic t-shirt and pink skirt — but is equipped with a built-in speaker and a necklace that acts as a listening device. She uses uses speech recognition software and Google Translate technology to answer children’s questions, all while transmitting the words to an app on either an iOS or Android device. That device connects to Cayla via Bluetooth and relays what the child says, translates it into text and uses keywords to browse the web for a response.

BBC reached out to Vivid Toys regarding the vulnerability, who stated, “The hacking was an isolated example carried out by a specialist team – but nevertheless the company would take the information on board as it was able to upgrade the app used with the doll.”

The doll’s distributor had noted that if a child were to say a foul word or pose an question, it would refrain from answering with anything more than “That’s inappropriate” or “I don’t know.” However, as Munro’s research reveals, that she can be made to say much worse things to a child if hacked. For instance, Cayla closes out the interview warning, “Be careful parents. Who knows what I may say next?”

As mentioned in a recent Forbes writeup, a lack of security on the mobile app makes it rather easy for a hacker to change her stock responses from child-friendly platitudes to much more offensive content. An attacker would simply need to pair the dolly with their own device, Munro warns, either by quickly grabbing the toy or finding a way to remotely exploit the phone.

“We don’t think it would take much to turn her into a device to spy on and potentially interact with children. You would be well advised to make sure that she is switched off when not explicitly in use and make sure that the mobile device is secured with a strong PIN, also kept and patched up to date. In the longer term the manufacturer should apply a PIN for the Bluetooth pairing process, but we don’t think that can be done without a product recall.”

Coincidentally enough, Atmel resident security expert just examined the issue in-depth, highlighting that while some sort of IoT is possible without security, without security it would really just be a toy. And this incident proves just that… literally.

“Security matters because users must trust that the nodes are who they say they are (i.e. authentic). Additionally, confidentiality of the data is important to keep unauthorized third parties from getting the data and misusing it. Also, without data integrity mechanisms there is no way to ensure that the data have not been tampered with or corrupted. All three of these matter. A lot,” Boldt writes.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s