Testing Internet of Toys Designs to Improve Privacy and Security

  • Stéphane ChaudronEmail author
  • Dimitrios Geneiatakis
  • Ioannis Kounelis
  • Rosanna Di Gioia
Part of the Studies in Childhood and Youth book series (SCY)


Internet-connected toys (IoToys), embedded with microphones, cameras and other sensors, bring technology more than ever closer to children. This new generation of toys poses several questions, e.g. “What data can IoToys exchange? With whom? What are the possible threats?”, and raises concerns regarding the security and privacy of children. These issues are at the centre of this chapter. The authors describe the data flow of the IoToys architecture and highlight the threats that such architecture should tackle. They present the privacy and security test conditions under which different IoToys have been submitted. The results indicate that personal data are exposed, thus violating data confidentiality and consequently end-users’ privacy. The chapter concludes with recommendations to enhance the security and privacy of IoToys architecture.


Internet of toys Internet of things Security Privacy 


  1. Akamai. (2017, February). Internet of things and the rise of 300 Gbps DDoS attacks. Retrieved February 14, 2018, from
  2. Benítez-Mejía, D. G. N., Zacatenco-Santos, A., Toscano-Medina, L. K., & Sánchez-Pérez, G. (2017). HTTPS: A phishing attack in a network. In Proceedings of the 7th International Conference on Information Communication and Management (pp. 24–27). New York, NY: Association for Computing Machinery.
  3. (2016, February). Vulnerability note VU#719736—Fisher-price smart toy platform allows some unauthenticated web API commands. Retrieved February 14, 2018, from
  4. Chaudron, S., Di Gioia, R., Gemo, M., Holloway, D., Marsh, J., Mascheroni, G., … Yamada-Rice, D. (2017). Kaleidoscope on the internet of toys—Safety, security, privacy and societal insights (JRC Technical Report No. EUR 28397). European Union.Google Scholar
  5. Dierks, T. (2008, August). The Transport Layer Security (TLS) protocol version 1.2. Retrieved February 14, 2018, from
  6. Fette, I. (2011, December). The WebSocket Protocol. Retrieved February 14, 2018, from
  7. Fielding, R., & Reschke, J. (2014, June). Hypertext Transfer Protocol (HTTP/1.1): Authentication. Retrieved February 14, 2018, from
  8. Freier, A., Karlton, P., & Kocher, P. (2011, August). The Secure Sockets Layer (SSL) protocol version 3.0. Retrieved February 14, 2018, from
  9. Geneiatakis, D., Kounelis, I., Neisse, R., Nai-Fovino, I., Steri, G., & Baldini, G. (2017). Security and privacy issues for an IoT based smart home. In 2017 40th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO) (pp. 1292–1297).
  10. Gibbs, S. (2015, November 26). Hackers can hijack Wi-Fi Hello Barbie to spy on your children. Technology. The Guardian. Retrieved February 15, 2018, from
  11. Hunt, T. (2015, November 28). When children are breached—Inside the massive VTech hack. Retrieved February 15, 2018, from
  12. Moye, D. (2015, February 9). Talking doll Cayla hacked to spew filthy things (UPDATE). Huffington Post. Retrieved from
  13. Onwuzurike, L., & De Cristofaro, E. (2015). Danger is my middle name: Experimenting with SSL vulnerabilities in android apps. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks (pp. 15:1–15:6). New York, NY: Association for Computing Machinery.
  14. Reschke, J. F., & Fielding, R. T. (2014, June). Hypertext Transfer Protocol (HTTP/1.1): Message syntax and routing. Retrieved February 14, 2018, from
  15. Rescorla, E. (2000, May). HTTP over TLS. Retrieved February 14, 2018, from
  16. Rouse, M. (2018, January). What is white hat? Retrieved February 15, 2018, from
  17. Sullivan, B. (2016, December 7). Your kid’s new friend Cayla may not be as innocent as she looks. Retrieved February 15, 2018, from
  18. Yadron, D. (2016, February 2). Fisher-price smart bear allowed hacking of children’s biographical data. Retrieved February 15, 2018, from
  19. Zhang, L., Choffnes, D., Levin, D., Dumitras, T., Mislove, A., Schulman, A., & Wilson, C. (2014). Analysis of SSL certificate reissues and revocations in the wake of heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (pp. 489–502). New York, NY: Association for Computing Machinery.
  20. Ziegeldorf, J. H., Morchon, O. G., & Wehrle, K. (2015). Privacy in the internet of things: Threats and challenges. CoRR, abs/1505.07683. Retrieved from

Copyright information

© The Author(s) 2019

Authors and Affiliations

  • Stéphane Chaudron
    • 1
    Email author
  • Dimitrios Geneiatakis
    • 2
  • Ioannis Kounelis
    • 3
  • Rosanna Di Gioia
    • 4
  1. 1.European Commission, Joint Research CentreIspraItaly
  2. 2.European Commission, Joint Research CentreIspraItaly
  3. 3.European Commission, Joint Research CentreIspraItaly
  4. 4.European Commission, Joint Research CentreIspraItaly

Personalised recommendations