Security researcher Ken Munro discovers vulnerability in Vivid Toy’s talking Doll ‘Cayla’
Vivid Toy’s best seller talking doll ‘Cayla’ has vulnerabilities which can be exploited by potential hackers to make the talking doll say what they want remotely. The vulnerability was discovered by security researcher Ken Munro, from Pen Test Partners. Munro, who has given a one on one to BBC’s Tech Tent program and will feature in today’s edition, discovered a vulnerability in Cayla’s software which allows for it to be hacked, and essentially say any number of things.
Munro has also demonstrated the hack to the BBC’s Rory Cellan-Jones. As Munro has not released the PoC and BBC’s Tech Tent is yet to be aired, it is not known what the vulnerability is but it is in the App that connects Cayla with the smartphone.
Cayla is an Internet-connected talking doll from Vivid Toys, She uses speech recognition software and Google Translate technology to communicate with the child. Unveiled in November 2014, Vivid Toys says that children can have any amount of conversations with the doll and Cayla will be “the smartest friend you’ll ever have.”
Cayla looks like a traditional doll – 18 inches high, with blond hair and a T-shirt. But her stomach contains a speaker, out of which she ‘talks’, and she wear a necklace which acts as a listening device. She works by hearing what you say and sending the words to an app which needs to be installed on any iOS device or Android device.. That device connects to the Cayla by Bluetooth and then translates what the child says, turns it into text and uses key words to scour the Internet for a response.
At the time of the unveiling, Vivid Toys had said that parents are assured that high levels of security features, including Google SafeSearch, will mean that Cayla will never say anything untoward. Vivid had stated at that time that if you say the word “crap” to the doll, and she answers: “That’s inappropriate.” Ask her where babies come from and she says: “I don’t know. You better ask your teacher.”
However Munro’s research proves that she can be made to say much worse things to a child if hacked. BBC reached out to Vivid Toys regarding the vulnerability, who stated that “the hacking was an isolated example carried out by a specialist team – but nevertheless the company would take the information on board as it was able to upgrade the app used with the doll on an ongoing basis.”
Here is a video of Ken Munro’s interview with BBC’s Rory Cellan-Jones