Cayla doll

Germany's telecommunications regulator has issued a ban against a line of smart toys called "My Friend Cayla," calling the toy an espionage device, and recommending that parents destroy all toy instances at once.

According to a press release published by Germany's Federal Network Agency (Bundesnetzagentur), the Cayla dolls were recording child conversations and sending the audio to their manufacturer, a company based in the US.

Child recordings sold to third-parties for targeted advertising

Based on the description on its homepage, the Cayla dolls were designed to pick up children questions, send them to an app on the parent's device, which translated the audio to text and searched for an answer online.

According to German authorities, some of these conversations made their way further, as the app forwarded the audio recordings to the doll's vendor.

The toy's terms and conditions state that the vendor uses these conversations to improve service, but also to share the audio recordings with third-party companies that can use it for targeted advertising.

Toy can be hacked to spew curse words & scare kids

Furthermore, the toy itself has been hacked by security researchers, who showed that the communications between the Cayla doll and the parent's app were not sufficiently protected, allowing an attacker to intercept audio recordings, or relay custom audio to the toy, possibly scaring the child.

All of these issues have also come to the attention of Norway's Consumer Council (Forbrukerrådet Norge), who recorded a YouTube video detailing all the problems, to raise awareness amongst parents. The video is embedded below.

Norwegian authorities did not ban the toy like their German counterparts, but it's known that Germany has much stricter privacy laws compared to many countries.

Monique Goyens, Director General of the European Consumer Organisation, has called on other EU countries to follow Germany's example and ban the toy.

In the meantime, Germany's telecommunications regulator plans to inspect more Internet-connected toys.

Smart toys are a disaster waiting to happen

Officials won't have to search long, as many issues have surfaced in the past years. For example, last year, security researchers from Pen Test Partners found several flaws in the firmware of BB-8 Star Wars smart toys.

Similarly, security experts from Rapid7 found that they could harvest personal data about children and their parents from Fisher-Price smart toys and hereO GPS kids' watches.

In 2015, security researcher Matt Jakubowski told NBC that he hacked the Hello Barbie smart toy to extract enough personal information to track down someone's home location.

Related Articles:

DNA Testing Kits & The Security Risks in Digitized DNA

German eID Authentication Flaw Lets You Change Identity

Bushido-Powered DDoS Service Whipped Up from Leaked Code

Remote Code Execution Flaws Found in FreeRTOS - Popular OS for Embedded Systems