SPICE Presents Paper Calling for A New Privacy & Security Regime for IoT Smart Toys at 2022 5th IEEE Conference on Dependable and Secure Computing (IEEE DSC 2022)

By Joshua Streiff

Growth in the ubiquity of Internet of Things (IoT) in people’s everyday lives has raised increasing concerns regarding both the security of IoT devices as well as privacy concerns about the data that they are collecting and sharing. Of particular concern are our most vulnerable users, children, who are at risk when an insecure IoT device is introduced into their lives as a toy to play with. Poor security design and obfuscation of data collection are but two of the myriad issues that turn simple teddy bears into digital trojan horses that put children at risk of harm.

In our paper, A Call for a New Privacy & Security Regime for IoT Smart Toys, presented at the 2022 5th IEEE Conference on Dependable and Secure Computing (IEEE DSC)  we examine current legal and policy regimes responsible for IoT toys and find them wanting.  Our measure is a practical one, examining several existing IoT toys and applying current regimes to a sample set of devices, some of which were tested at the Luddy School of Informatics, Computing, and Engineering’s Internet of Things Research House lab.  

Our paper investigated the current state of regulatory, legislative and tort measures to address IoT toy safety and found them inadequate to the task of child safety; being only partly effective in any particular case example. Additionally, we focus on the inherent problems with any regime that only addresses security concerns when problems are found, instead of as a part of a pre-market testing regime. Post-market solutions are least applicable in devices whose users cannot themselves identify, report, or even mitigate harm due to age and cognitive capability.

Having established reasons for a restructuring of responsibilities, requirements, and proactive options for implementable security and privacy rules for IoT toy manufacturers, we then propose practical solutions.  Primary among these is the proposed use of the Federal Communications Commission’s current testing and labeling regime in an expanded role as a pre-market testing solution specific to IoT toys for younger children. 

Presented at 2022 5th IEEE Conference on Dependable and Secure Computing (IEEE DSC), paper co-authors include Naheem Noah and Sanchari Das of the University of Denver.  Sanchari Das is an alumni of the Security & Privacy in Informatics, Computing, and Engineering (SPICE) Center at Indiana University Bloomington and is now an Assistant Professor at the Ritchie School of Engineering and Computer Science, University of Denver.

Joshua Streiff, author, is the project manager for SPICE as well as the IoT House at Indiana University Bloomington. He is additionally a Masters’ student in Indiana University’s Cybersecurity Risk Management program.