Abertay student proves child's toy can be hacked
An Abertay student has carried out ground-breaking hacking work showing how an innocent child’s toy could be transformed into an offensive ‘talking Chucky’ doll.
Ethical Hacking fourth year student Cheryl Torano spoke of the project she carried out as it was revealed that parents in Germany have been told to destroy the ‘Cayla’ doll because of its security risks.
The warning over Cayla – a doll that reads stories and can respond to a user’s question through an app – was issued by the Federal Network Agency, which oversees telecommunications.
Researchers there say Cayla’s smart technology can reveal personal data. But Abertay student Cheryl’s project went a stage further and showed how hacking into the talking doll was ‘frighteningly easy’.
The 32-year-old transformed Cayla from an ‘angelic’ child’s doll into a ‘swearing and offensive’ toy.
Cheryl said, ‘We downloaded the doll’s app using free software that anyone can access. We then extracted the files from the doll and decoded it.
"It was in English on a Word document, which exposed the password. Then we were in… It couldn’t have been easier.
"We turned Cayla back into a working doll – but this time she was a talking Chucky doll. Her stories went from being nice and gentle to being vulgar and offensive. Suddenly Cayla was swearing like a trooper in her sweet, little voice.
"The one thing that was meant to be secure in this doll was that it could not use inappropriate language. We proved that wasn’t the case far too easily.
"We contacted the doll’s manufacturers (Genesis Toys) and they said they were aware of its vulnerabilities and would update the software. But this doll is out there now. I’m not surprised to see sanctions being taken like in Germany today.
Cyber security firm Pen Test Partners were the first to hack a Cayla doll in 2014.
For her project, Cheryl uses a different method known as reverse engineering to gain access to the toy.
"Cheryl says, as a mother of two children – Jessica, 13, and Stewie, 5 – she was even more aware of the potential dangers posed by toys.
"It was unbelievably easy. Anyone sitting in their house could effectively spy on your child through a doll.
"This is why I want to make cyber security my career. Seeing how easy hacking into Cayla was makes me want to protect people.
"Dr Natalie Coull, Ethical Hacking lecturer at Abertay, said, ‘The big problem is that a lot of these issues arise with toy manufacturers who have not really had to consider cyber security before.
"But now, the likes of baby monitors and talking dolls are risks and are perhaps not tested enough before being sold and used.
"The reality of the Internet of Things (IoT) is just around the corner: an era in which all manner of devices will be online, collecting data about daily life.
"Internet-enabled toasters, fitness watches and even toothbrushes are available with high-tech features that offer an improved user experience. However, these devices can also be misused and attacked. Misuse of these devices has the potential to bring the internet to its knees."
