Germany Says Auf Wiedersehen to Hi-Tech Doll

By Tim Medin | March 28, 2018

The German government has banned a hi-tech doll that has given U.S. privacy groups and Red Siege founder, Tim Medin, concerns for years.

The My Friend Cayla doll, which remains on sale in the U.S., violates a portion of the German statute that “prohibits the possession, production, distribution, importation or otherwise of transmitters or other telecommunications equipment … which in appearance mimic another object or which are disguised.”

In short, the blond-haired, Bluetooth connected doll gives no information that it collects and transmits everything it hears. Used as intended, children can interact with Cayla through an app or through voice commands.

“The toy had many strong security features to ensure a normal child using the doll would not stumble into inappropriate content,” Medin said. “However, other development choices would allow a nefarious user to gain access to the device that could be dangerous.”

In 2015, Medin purchased My Friend Cayla doll and expressed concern about some of the security and privacy features in a blog post.

“Any, and I mean ANY system with Bluetooth (tablet, phone…or laptop) can connect to this device and use it as a speaker or as a remote mic. The toy is essentially a cute bluetooth headset,” Medin concluded. “Anyone within range can use this toy to listen to and communicate with a kiddo. Again, the only protection here is that only one device can be connected at a time. This is not a safe mechanism to protect someone from communicating with my child.”

As internet-connected toys become more common, it is incumbent on developers to institute best practices to prevent security concerns and safeguard the scores of children who will play with devices like the My Friend Cayla dolls.

Extend Your Browser

By Red Siege | May 9, 2024

by Ian Briley, Security Consultant In my last blog, I discussed using only a browser for web application testing, emphasizing how useful built-in browser tools like the Inspector and Console […]

Learn More
Extend Your Browser

Introducing Delta Encoder

By Red Siege | April 15, 2024

By Corey Overstreet, Senior Security Consultant Recently, our own Mike Saunders released a novel shellcode obfuscation technique with the tool Jigsaw. If you haven’t checked out the GitHub repository or […]

Learn More
Introducing Delta Encoder

Using Microsoft Dev Tunnels for C2 Redirection

By Red Siege | April 9, 2024

by Justin Palk, Senior Security Consultant   As penetration testers, we’re always on the lookout for new ways to get our command-and-control (C2) traffic out of a client’s network, evading […]

Learn More
Using Microsoft Dev Tunnels for C2 Redirection

Find Out What’s Next

Stay in the loop with our upcoming events.