banner
Family

This doll could be spying on your child

Posted February 25

You’ll want to check your child’s toy room after reading this. (Deseret Photo)

My Friend Cayla is a children’s toy that knows it all. By connecting to the internet, she can answer almost any question you ask her. But there is one glaring downside: this toy could be spying on your child.

Cayla connects through Bluetooth and has a range of 30 feet. However, researchers found that hackers can also access the doll's connection within a 30 foot range, and can then listen and talk to the children playing with Cayla.

The doll is easily hacked

Suspicions about the doll started when security researcher Ken Munro, from Pen Test Partners, discovered that the toy could be hacked, according to BBC News.

"It's so simple to break into it, anyone could do it with a phone. All you have to do is turn on Bluetooth and connect to the doll and you're potentially listening, spying into the child's room or you can even talk to the child through the doll," Munro said.

Cayla is banned in Germany — other countries are worried, too

The doll is already banned in Germany because it violates their rule against wireless devices with hidden microphones, according to CNN. Germany’s Federal Network Agency (Bundesnetzagentur) has no plans to penalize parents who do not destroy the doll, saying they assume parents will take the responsibility to make sure the doll does not cause a risk.

But Germany isn’t the only country worried about My Friend Cayla. Concerns in the United States have also been raised; a complaint was filed to the Federal Trade Commission (FTC) in December by the The Electronic Privacy Information Center (EPIC) as well as a few other organizations.

“The fact that this data collection not only contains really intimate personal conversations but also fails to comply with any of the protections that Congress has enacted … is really concerning,” Claire Gartland, director of the EPIC Consumer Privacy Project, told Today.

Her favorite movie is also a problem

In addition to privacy concerns, people are also upset about product placements from the doll. The complaint mentions that My Friend Cayla is programmed with phrases related to Disney. The doll says her favorite movie is Disney’s The Little Mermaid and her favorite song is “Let It Go” from Disney’s Frozen. However, the complaint also states that it is difficult for children to recognize these statements as advertisements.

Disney told ABC News that they do not have a contract with the doll’s manufacturer, Genesis, and were unaware that their name was part of the doll’s script.

Cayla really listens (a little too much)

The complaint further stated that the doll records audio from the children playing with it and sends it to a third-party software provider, Nuance. They claimed that part of this company’s services includes selling audio recordings to military, intelligence and law enforcement agencies.

Nuance responded by announcing that they do not sell or share voice data for any marketing or advertising purposes. They said they have not received an inquiry from the FTC, but promised to respond appropriately if they receive an official request.

As a parent, you should know who your child's friends are — My Friend Cayla is no exception.

Shaelynn Miller is a journalist who has a passion for photography, video production and writing.

Contact her at smiller@deseretdigital.com.

1 Comment

Please with your WRAL.com account to comment on this story. You also will need a Facebook account to comment.

Oldest First
View all
  • Andy Hairston Feb 27, 12:27 p.m.
    user avatar

    Unfortunately, this is true of many internet-connected devices. Frequently, Internet of Things (IoT) devices (meaning not computers or cellphones) don't get security updates/patches and use hard-coded security credentials. Once a hacker figures out how to get into ONE of them, they then know how to access every one of that mode. IoT devices also are being taken over and used in botnets for attacks on other systems (see Mirai malware). It's not just dolls - routers, remote cameras, IoT lightbulbs (yes, really), basically anything with a 'net connection is a risk. (How do I know? I'm a server owner and general computer geek.)