INCIBE presents a pioneering report on the security of connected toys in the framework of the EU's Cyber Resilience Act

News - 2024.12.17

13/12/2024. Report on the security of connected toys. The Minister for Digital Transformation and Public Function, Óscar López, during the p... The Minister for Digital Transformation and Public Function, Óscar López, during the presentation of the report

  • x: opens new window
  • Whatsapp: opens new window
  • Linkedin: opens new window
  • Send: opens new window

The National Institute for Cybersecurity (INCIBE), an entity under the Ministry of Digital Transformation and the Public Function, through the Secretary of State for Telecommunications, Digital Infrastructure and Digital Security, has presented a groundbreaking report on the security of connected toys, thereby becoming the first European body to conduct a comprehensive analysis in accordance with the criteria of the European Union's Cyber Resilience Act (CRA). This report is part of the actions that Spain is leading to guarantee the protection of consumers and businesses against the vulnerabilities of devices with digital components.

The EU Cyber Resilience Act (CRA) entered into force in December 2024 and has a three-year transition and adoption period. Thereafter, compliance will be mandatory for manufacturers and distributors of products placed on the EU market. In addition, member states will have to inspect between 3% and 10% of the products on the market, depending on the risk, criticality of the product, category and the volume on the market.

Therefore, Spain, through INCIBE, is the first European country to carry out this analysis, in the current voluntary phase.

The event, held at INCIBE's head office in León, was attended by the Minister for Digital Transformation and Public Function, Óscar López, and the Secretary of State for Telecommunications, Digital Infrastructure and Digital Security, Antonio Hernando.

In his speech, the minister stressed: "With this report, Spain reinforces its leadership in the implementation of the Cyber Resilience Act, not only by complying with European standards, but also by anticipating their requirements. Connected toys are an example of how technology can be an ally of leisure and learning, as long as they are used safely. This joint effort with manufacturers and consumers is essential to protect especially the most vulnerable, our children."

Key findings of the report

A girl watches a streaming show on a tablet while listening to music with headphones

To carry out the study, INCIBE selected 26 smart toys, taking into account the most sold toys on online platforms. These toys are capable of handling user data: video or audio recording, Bluetooth or Wi-Fi connection or mobile application for device management.

Therefore, vulnerabilities have been assessed and improvement requirements for manufacturers have been identified, reinforcing key aspects of protection, ensuring that the product meets the highest standards of security and reliability of the products analysed. They have also been accompanied by recommendations to provide consumers with a safe and quality user experience.

The study provides the following information and results:

  • Critical points identified: Issues such as insecure default settings, which may allow insecure transmission of sensitive data such as passwords, weaknesses in the implementation of security updates or vulnerable mobile applications, which could allow exploitation of vulnerabilities and even remote control of the device by attackers, have been found in some products.
  • Attack vectors assessed: eight key areas have been assessed, dividing the toys according to their connection technologies and exposure surfaces: vulnerability analysis and update capabilities for remediation, examination of the mobile and/or desktop applications required for the toy's functionalities, strength analysis against common attacks, and analysis of the security of physical and wireless connections.
  • Proposals for improvement: suggestions for households and manufacturers to strengthen cybersecurity and digital trust, aligned with the European Cyber Resilience Act (CRA).

During the presentation, a live demonstration was given to illustrate how an attacker could compromise a remote-controlled toy car and use it as a bridge to access other devices in the home network. This practical exercise highlighted the relevance of strengthening protection measures in products aimed at children.

Commitment to digital security

The report is part of INCIBE's broader strategy to work closely with manufacturers and encourage responsible innovation. In addition, for more information, you can access the "Guide for the safe use of Connected Toys", launched in 2018 together with the Spanish Association of Toy Manufacturers, which consolidates INCIBE as a benchmark in cybersecurity for minors.

Non official translation

More Info

Tags: