Consumer watchdogs in Europe and the US have lodged a joint complaint against the makers of top-selling internet-connected toys for failing basic privacy and security measures, and not keeping children safe.

A study by the Norwegian Consumer Council has identified major security flaws in the My Friend Cayla doll and i-QUE robot connected toys, specifically. Both are widely available in Europe and the US.

My Friend Cayla, for example, lets children ask her questions to which she responds, and plays games like noughts and crosses with them.

Based on the results of the Norwegian study, consumer organisations in seven European countries have filed complaints against Genesis Toys, which makes the devices, and ToyQuest, which makes their companion apps.

Alongside the Norwegian Consumer Council, complaints have been filed with national data protection authorities and consumer protection authorities by UFC Que Choisir in France, the Swedish Consumers’ Association in Sweden, the Consumers' Protection Centre (KEPKA) in Greece, Test Ankoop in Belgium, the Consumers’ Association of Ireland, and Consumentenbond in the Netherlands.

Four US groups, including the Electronic Privacy Information Centre (EPIC) and the Centre for Digital Democracy, have filed a complaint with the Federal Trade Commission.

The Norwegian tests found that, “with simple steps”, hackers can easily gain control of both toys through a mobile phone, and talk and listen through them without any kind of physical access.

The terms and conditions attached to the Cayla doll stipulate as well that, prior to use, customers must also consent that personal data can be used for targeted advertising, and that their information may be shared with unnamed third parties.

They must also accept these terms may change without notice.

Cayla also transfers data, including any communications with the dolls, to a US-based company called Nuance Communications, a speech recognition specialist that also provides technology for fraud detection and healthcare services.

The terms of use state Nuance Communications can share with other third parties for a wide-variety of purposes, including hidden marketing.

The study says the Cayla doll, for example, will talk about Disney movies, and notes the app provider has a commercial relationship with Disney.

The European Consumer Organisation (BEUC) has sent letters about the matter to the European Commission, the European Union network of national data protection supervisors, and the International Consumer Protection and Enforcement Network (ICPEN).

Monique Goyens, Director General of BEUC, said: “Children are especially vulnerable, and are entitled to products and services that safeguard their rights to security and privacy.

"As long as manufacturers are not willing to take these issues seriously it is clear that this type of connected products is not suitable for children.”

Genesis Toys has distribution arrangements with Wal-Mart, Toys R Us, Amazon, Target, and K-Mart, variously, in the US, Norway, Sweden, Denmark, Australia, Netherlands, and the Middle East.

British toy company Vivid distributes both products in the UK, France, Germany, Austria, Ireland, and Switzerland.

The Norwegian Consumer Council notes in its complaint to the Norwegian Directorate for Civil Protection the Cayla doll was named toy of the year in Norway and Sweden in 2014, according to a sticker on its packaging.

The Norwegian app for the doll has been downloaded from Google Play between 10,000 and 50,000 times, it said.

The app associated with the i-Que robot has been downloaded between 1,000 and 5,000 times from Google Play.

Tony Gee, Consultant at ethical hacking firm Pen Test Partners, told European Communications: “We applaud this action. It’s time manufacturers of IoT devices woke up and realised it is their responsibility to ensure they deliver safe and secure devices to end users.”

Pen Test Partners has also investigated the Cayla device, alongside such devices as connected thermostats and DVRs, and found its security and privacy to be inadequate.

“Cayla has no Bluetooth pairing mechanism, meaning as long as she is turned on anyone within range can connect to her,” said Gee.

Speaking at the European Communications/Mobile Europe IoT Conference 2016 last week, Gee demonstrated the Cayla doll works effectively as a Bluetooth speaker and microphone, with no pairing process.

“This means attackers could sit outside a child’s window and listen and talk to them, through their doll," said Gee.

"Not only that, the application is very poorly written with little regard for the potential for attackers to create malicious versions allowing modified versions to be created.”

Gee said IoT manufacturers should test for vulnerabilities as a matter of course, make devices remotely updateable, sign and check firmware updates, encrypt data and communications, and limit the personal data required for the service.

Goyens also made the point market supervision is becoming increasingly complex.

“The challenge to make sure European consumers are properly protected is huge and co-operation between authorities and consumer organisations is key,” she said.

“The fact that business malpractices spill over national borders is making this task even harder.”

More News

Iliad enters content game in France, finally launches Italian mobile business Iliad enters content game in France, finally launches Italian mobile business Iliad has acquired football rights in France and launched its opco in Italy as it looks to reboot after a disappointing set of financial results. More detail
Three UK appoints new CCO, CFO Three UK appoints new CCO, CFO The departure of Three UK's Chief Commercial Officer after just 18 months in the job has triggered a shake-up of the mobile operator's top team. More detail
TalkTalk to sell enterprise customer base to Daisy as it registers full-year loss TalkTalk to sell enterprise customer base to Daisy as it registers full-year loss TalkTalk has agreed to sell 80,000 business customers to rival Daisy Group in a £175 million deal. More detail
A1 Telekom Austria Group rebrand reaches Bulgaria A1 Telekom Austria Group rebrand reaches Bulgaria Bulgaria is the third A1 Telekom Austria Group opco to get rebranded as the telco looks to market itself as a provider of "advanced" IT, IoT, cloud and content services. More detail
Orange Business Services puts IoT to use on saving ships’ fuel costs Orange Business Services puts IoT to use on saving ships’ fuel costs Orange Business Services has expanded its work with Dobroflot by developing a customised IoT solution for the Russian fishing company. More detail


European Communications is now
Mobile Europe and European Communications


From June 2018, European Communications magazine 
has merged with its sister title Mobile Europe, into 
Mobile Europe and European Communications.

No more new content is being published on this site - 

for the latest news and features, please go to: