Abstract
The Internet of Things creates an environment to allow the integration of physical objects into computer-based systems. More recently, smart toys have been introduced in the market as conventional toys equipped with electronic components that enable wireless network communication with mobile devices, which provide services to enhance the toy’s functionalities and data transmission over Internet. Smart toys provide users with a more sophisticated and personalised experience. To do so, they need to collect lots of personal and context data by means of mobile applications, web applications, camera, microphone and sensors, for instance. All data are processed and stored locally or in cloud servers. Naturally, it raises concerns around information security and child safety because unauthorised access to confidential information may bring many consequences. In fact, several security flaws in smart toys have been recently reported in the news. In this context, this paper presents an analysis of the toy computing environment based on the threat modelling process from Microsoft Security Development Lifecycle with the aim of identifying a minimum set of security requirements a smart toy should meet, and propose a general set of security tests in order to validate the implementation of the security requirements. As result, we have identified 16 issues to be addressed, 15 threats and 22 security requirements for smart toys. We also propose using source code analysis tools to validate seven of the security requirements; three test classes to validate seven security requirements; and specific alpha and beta tests to validate the remaining requirements.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
CISCO Homepage. https://www.cisco.com/c/en/us/about/security-center/secure-iot-proposed-framework.html. Accessed 10 Sep 2017
Gardner Homepage. http://www.gartner.com/newsroom/id/3598917. Accessed 10 Sep 2017
IDC Homepage. https://www.idc.com/getdoc.jsp?containerId=prUS42799917. Accessed 10 Sep 2017
Rafferty, L., Hung, P.C.K.: Introduction to toy computing. In: Hung, P.C.K. (ed.) Mobile Services for Toy Computing. ISCEMT, pp. 1–7. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21323-1_1
Newsweek Homepage. http://www.newsweek.com/internet-connected-teddy-bear-leaks-2-million-voice-recordings-parents-and-561969. Accessed 13 Sep 2017
Forbes Homepage. http://www.forbes.com/sites/thomasbrewster/2016/02/02/fisher-price-hero-vulnerable-to-hackers/#359130c71cfe. Accessed 8 Dec 2016
Fortune Homepage. http://fortune.com/2016/02/02/fisher-price-smart-toy-bear-data-leak/. Accessed 8 Dec 2016
Motherboard Homepage. https://motherboard.vice.com/en_us/article/bmvnjz/hacked-toy-company-vtech-tos-now-says-its-not-liable-for-hacks. Accessed 13 Sep 2017
PCWorld Homepage. http://www.pcworld.com/article/3012220/security/internet-connected-hello-barbie-doll-can-be-hacked.html. Accessed 12 Dec 2016
Internet Crime Compliant Center (IC3) homepage. https://www.ic3.gov/media/2017/170717.aspx. Accessed 17 Sep 2017
Biswas, D.: Privacy policies change management for smartphones. In: IEEE International Conference on Pervasive Computing and Communications Workshops, pp. 70–75 (2012)
Zapata, B., Niñirola, A., Fernández-Alemán, J., Toval, A.: Assessing the privacy policies in mobile personal health records. In: 36th Annual International Conference of the IEEE Engineering in Medicine and Biology Society, pp. 4956–4959 (2014)
Nagappan, M., Shihab, E.: Future trends in software engineering research for mobile apps. In: IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), vol. 5, pp. 21–32 (2016)
Ng, G., Chow, M., Salgado, A.L.: Toys and mobile applications: current trends and related privacy issues. In: Hung, P.C.K. (ed.) Mobile Services for Toy Computing. ISCEMT, pp. 51–76. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21323-1_4
Rafferty, L., Fantinato, M., Hung, P.C.K.: Privacy requirements in toy computing. In: Hung, P.C.K. (ed.) Mobile Services for Toy Computing. ISCEMT, pp. 141–173. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21323-1_8
Rafferty, L., Hung, P., Fantinato, M., Peres, S., Iqbal, F., Kuo, S., Huang, S.: Towards a privacy rule conceptual model for smart toys. In: Proceedings of the 50th Hawaii International Conference on System Sciences, HICSS (2017)
Carvalho, L., Eler, M.: Security requirements for smart toys. In: Proceedings of the 19th International Conference on Enterprise Information Systems (ICEIS 2017), vol. 2, pp. 144–154 (2017)
Canadian Public Works and Government Services: Personal Information Protection and Electronic Documents Act (2000)
United States Federal Trade Commission Homepage. http://www.coppa.org/coppa.htm. Accessed 27 Nov 2016
The European Parliament and the Council of the European Union: Regulation (EU) 2016/679 of the European Parliament and of the Council. Regulations, Official Journal of the European Union (2016)
Hung, P.C.K. (ed.): Mobile Services for Toy Computing. ISCEMT. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21323-1
BBC News homepage. http://www.bbc.com/news/technology-38222472. Accessed 12 Dec 2016
Sommerville, I.: Software Engineering, 9th edn. Pearson, Boston (2011)
Tondel, I., Jaatun, M., Meland, P.: Security requirements for the rest of us: a survey. IEEE Softw. 25(1), 20–27 (2008)
United States Government Accountability Office homepage. https://www.gao.gov/products/GAO-17-440T. Accessed 17 Sep 2017
Viega, J.: Building security requirements with CLASP. In: Proceedings of the 2005 Workshop on Software Engineering for Secure Systems—SESS 2005, 15–16 May, St. Louis, MO, USA (2005)
Sindre, G., Opdahl, A.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005)
IDA homepage. https://www.ida.liu.se/~TDDC90/literature/papers/clasp_external.pdf. Accessed 16 Nov 2016
US-CERT homepage. https://www.us-cert.gov/bsi/articles/best-practices/requirements-engineering/square-process. Accessed 3 Nov 2016
Lipner, S.: The Trustworthy computing security development lifecycle. In: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004). IEEE (2004)
Microsoft homepage. http://www.microsoft.com/sdl. Accessed Feb 2017
Open Web Application Security Project (OWASP) homepage. https://www.owasp.org/index.php/Source_Code_Analysis_Tools. Accessed 17 Sep 2017
Open Web Application Security Project (OWASP) homepage. https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents. Accessed 17 Sep 2017
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
de Carvalho, L.G., Eler, M.M. (2018). Security Requirements and Tests for Smart Toys. In: Hammoudi, S., Śmiałek, M., Camp, O., Filipe, J. (eds) Enterprise Information Systems. ICEIS 2017. Lecture Notes in Business Information Processing, vol 321. Springer, Cham. https://doi.org/10.1007/978-3-319-93375-7_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-93375-7_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-93374-0
Online ISBN: 978-3-319-93375-7
eBook Packages: Computer ScienceComputer Science (R0)