back to article Smash up your kid's Bluetooth-connected Cayla 'surveillance' doll, Germany urges parents

Germany's Federal Network Agency, or Bundesnetzagentur, has banned Genesis Toys' Cayla doll as an illegal surveillance device. "Items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people's privacy," said agency president Jochen …

  1. Anonymous Coward
    Anonymous Coward

    In response, Theresa May announced a new initiative to give toys to school age children.

    1. Tom 64
      Gimp

      Re: Theresa May doll

      I'll take it. But only if it is a voodoo doll OF the glorious Pry Minister herself.

  2. Dwarf

    "Items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people's privacy," said agency president Jochen Homann in a statement. "This applies in particular to children's toys. The Cayla doll has been banned in Germany."

    Presumably Xbox, iStuff, Windows 10, Alexa and all the other voice activated junk is on the list behind Cayla and they will announce those next week ?

    After all, they all do the same thing and are all used by children.

    1. Anonymous Coward
      Anonymous Coward

      @ Dwarf

      They are not disguised as some other normally innocuous household object.

      1. Dwarf

        Re: @ Dwarf

        Ahh, so hidden in plain sight is OK in your book ?

        Isn't the problem what it does, rather than the way it looks ?

        1. John Brown (no body) Silver badge

          Re: @ Dwarf

          "Isn't the problem what it does, rather than the way it looks ?"

          Not exactly. According to the article "Germany's network watchdog said any toy capable of transmitting signals and surreptitiously recording audio or video without detection is unlawful." To me, that says it's fine so long as there's some indication of when it's operating, listening, sending data,

          1. Anonymous Coward
            Joke

            Re: @ Dwarf

            To me, that says it's fine so long as there's some indication of when it's operating, listening, sending data,

            The new model addresses this concern. When it's operating it's eyes light up; when it's listening, its ears twitch; and when it's sending data it looks constipated.

            1. Nolveys

              Re: @ Dwarf

              The new model addresses this concern. When it's operating it's eyes light up; when it's listening, its ears twitch; and when it's sending data it looks constipated.

              The one I gave my daughter is spinning its head around, projectile vomiting and suggesting unwholesome activities to be done with Jesus. Should I call tech support?

              Oh wait, that's just the Theressa May doll. Never mind.

              1. GrumpyOldBloke

                Re: @ Dwarf

                Who would give their kid a Theresa May doll. You just know that is not going to end well.

          2. big_D Silver badge

            Re: @ Dwarf

            @John Brown exactly. If her eyes lit up red, when she was listening, then it would be fine.

            The other services mentioned all make a tone, when they start listening and give a visual clue to the fact they are recording voice.

            That said, Alexa has only just started shipping over here, in Germany, and it is likely to meet some resistance. Certainly my wife won't let anything like that into the house.

          3. Anonymous Coward
            Anonymous Coward

            Re: @ Dwarf

            So, how would that work in the present case? A simple red light on the doll might be a bit creepy (especially if it were the eyes!). But it does have voice capability (I believe), so it could vocally warn when it's in "data collection" mode.

            Um, something like "Smile, Snookums! You're on Candid Camera!" :-D

      2. William 3 Bronze badge

        Re: @ Dwarf

        They also have financial large, very powerful, lobbying groups in common.

      3. not.known@this.address

        Re: @ Dwarf

        Might not be disguised, but after months of my frequent moaning and whining about how those things have permanently live mics my missus had a very audible demonstration of how sneaky the things are when her phone suddenly says "I'm sorry, I didn't catch what you said" from INSIDE her handbag on the other side of the room.

        So not only are they always listening but they are worryingly sensitive too... at least, worrying if you value any sort of privacy.

      4. RAMChYLD

        Re: @ Dwarf

        since when is a laptop not a "innocuous household object"?

    2. a_yank_lurker

      @ Dwarf also

      There is also a major difference in expectation. While I despise Bloat 10's Spyware-as-a-Service model it is an OS for computers. One would reasonably expect the computer to connect to the Internet and that would some communication back to the mothership even if only to get updates and patches. Cayla is a doll marketed at children who should not be expected to understand privacy implications of the device when most adults have problems understanding these issues.

      1. Dwarf

        Re: @ Dwarf also

        Cala does voice processing, as do all the rest (Siri, Alexa, Cortana), so there is no difference. All of them are listening and shipping it back to the mothership for processing.

        Children use Xbox, iStuff, etc, so again it's the same argument.

        It makes no difference the age of the consumer, since adults will have purchased all of them, even if they are subsequently given to children to use.

        1. William 3 Bronze badge

          Re: @ Dwarf also

          Begone with you. Common sense and logic is useless against the collective might of those three companies named fanboys.

    3. Mage Silver badge
      Big Brother

      Google, Amazon, Apple, Microsoft.

      Mattel has an evil "parenting" gadget like Echo.

      Google TV certainly breaks this law. People are better NEVER connecting Smart TV to Internet, but using PS4 or some media box for Netflix etc. Most Smart TV makers seem to have abandoned their own GUI for Google's Android TV, which apart from being spyware, is a rubbish UX for TVs.

      1984 was really about 1948 politics. However Orwell would be amazed that every democracy has allowed the Corporate "Big Brother" spying on their citizens via Browser stats, web cookies, clear pixels, javascript etc on the Internet as well as evil IoT personal data monetising products, Facebook (a dictator's wet dream), Echo, Spot, Siri, Chrome Browser, Chrome OS/Chrome Book, Android wearables, Android on phones, iOS, Windows 10, Android TV and etc.

      1. Anonymous Coward
        Anonymous Coward

        Re: Google, Amazon, Apple, Microsoft.

        "Google TV certainly breaks this law"

        No it doesn't, You have to opt into voice recognition. Do you even OWN a GoogleTV device???

    4. Anonymous Coward
      Anonymous Coward

      After all, they all do the same thing and are all used by children.

      Samsung TVs?

  3. Pliny the Whiner

    With my luck, Cunty Cayla would become self-aware while I was trying to smash her into the afterlife using an old IBM XT keyboard.

    1. BebopWeBop
      Thumb Up

      A very fine keyboard (I still use mine - with a Mac :-) and the best thing is, having seen off a Grizzly, and then beaten Cayla into submission, it would still work perfectly well (even if the Grizzly's blood might reduce the clickers clack.

  4. Queeg
    Boffin

    Then again..

    They could just remove the batteries.

    No more spying and the child keeps the toy.(a little old fashioned I know, dolls without power supplies but this sounds like an emergency after all,)

    1. Anonymous Coward
      Terminator

      Re: Then again..

      Locating alternative power supply...

    2. Anonymous Coward
      Anonymous Coward

      'They could just remove the batteries.'

      * One day the neighbours kid comes over and puts the batteries back in. They even connect your Smart TV to the internet. Six months later you notice but by then its too late! Overall, your thinking is delusional... Its a fake sense of control that's all.

      Is globalisation to blame for shipping IoT products devoid of consumer input...? Maybe, but the more pressing question is, will there eventually be a populist backlash to IoT products including Win-10 slurping + Android Smartphone spying???

      1. RAMChYLD

        Re: 'They could just remove the batteries.'

        If you want to go the extra mile, you can take her apart and rip the microphone, camera and circuit board out, then put her back together.

        If this thing is anything like those Smart Toys Mattel put out tho, the battery is non-removable. You may need screwdrivers with a proprietary head as well as a pair of wire cutters to gut the thing.

    3. Doctor Syntax Silver badge

      Re: Then again..

      "They could just remove the batteries."

      And then give it a quick zizz in the microwave, just to make sure.

  5. Rol

    Aiding and abetting!!

    Just take these feckless gimmick pushers to court and charge them with aiding and abetting paedo's.

    Time in jail, or bludgeoned into liquidation with a sledgehammer fine, would have them rethinking their ill-thought-out stumble into connected devices.

    It is a crime to assist criminals. We don't need any clarifying legislation. We just need the authorities to use the tools society have allowed them to just get on with the job of punishing every firm for implementing inadequate security and thus leaving their customers open to all manner of criminal attack.

    1. Anonymous Coward
      Anonymous Coward

      Such Redneck. Much anger! Wow.

      You can't just go out and declare that someone is "aiding and abetting" "paedo's" (What they?)

      Rule of law and all that.

    2. PNGuinn
      Happy

      Re: Aiding and abetting!!

      "Time in jail, or bludgeoned into liquidation with a sledgehammer, would have them rethinking their ill-thought-out stumble into connected devices."

      There - FIFY

    3. John Smith 19 Gold badge
      Childcatcher

      "charge them with aiding and abetting paedo's."

      I hate to say this but just for once that TOTC BS could actually be useful.

      And let's be honest what sort of people want to mass compromise a doll mostly aimed at young girls?

      A) People wanting to build the next IoT botnet.

      B)People with a keen interest in young girls.

      Some of those might be boys their age but what are the odds they are not?

      1. Anonymous Coward
        Anonymous Coward

        Re: "charge them with aiding and abetting paedo's."

        These dolls will not stay in the girls' rooms. They'll drag them along, one moment in the living room, the next in the car, then to relatives and friends of the parents... therefore:

        C) Anybody with enough criminal energy to spy on a family, their relatives and friends

        D) Theresa May, who is busy doing away with human rights and replaces them with surveillance bills already

  6. DNTP

    Thanks for nothing, TECHNOLOGY

    We could have had moon colonies and cancer cures, but instead got a future where evil dolls are an actual, real threat to children instead of just being eBay legends.

    1. Anonymous Coward
      Anonymous Coward

      Re: Thanks for nothing, TECHNOLOGY

      TESTIFY, Brother! We still do not have; flying cars, quantum computer wrist-wearables, ubiquitous self-moving sidewalks, full steak and potatoes dinner reduced to the size of a pill and served on a normal sized plate with a knife and fork for some reason, personal jet packs, robot fish, robot cat that is better than a real cat, robot girlfriend, robot wife, robot ex-wife, another robot girlfriend that is not the same as the first one I just mentioned, an iPhone that does not cause people to hate it if they don't want one merely ignore it, a bidet that does not confuse Americans, cure for baldness AND cure for unwanted hair all in one product! Let's say in an easy to insert suppository, why not?

      1. PNGuinn
        Go

        Re: Thanks for nothing, TECHNOLOGY

        "ubiquitous self-moving sidewalks" .... "Let's say in an easy to insert suppository" ...

        Sideways?

        EMNTK etc etc.

      2. Nifty Silver badge

        Re: Thanks for nothing, TECHNOLOGY

        And a combined playpen/Faraday cage

        1. DropBear
          Joke

          Re: Thanks for nothing, TECHNOLOGY

          "And a combined playpen/Faraday cage"

          I understand microwave ovens are pretty good Faraday cages, although you might get some funny looks as you're shoving your kid in, even if you never intend to turn it on...

      3. Crazy Operations Guy

        Re: Thanks for nothing, TECHNOLOGY

        Because now all the people that would normally create those technologies are salving away so they can just barely make rent on a crappy apartment (Just forget about the concept of paying for a mortgage nowadays...)

    2. ecofeco Silver badge

      Re: Thanks for nothing, TECHNOLOGY

      No kidding DNTP. We could have had solar system colonization and instead all we got was video games and fancy phones and the mighty waterfall of the shit spewing Internet.

      In others words, consumer tat crap. Yet everyone thinks this is the coolest shit eva!

  7. Anonymous Coward
    Anonymous Coward

    "offers no special risk"... "there is no reason for alarm"...

    That's the manufacturer's take... More or less sums up the chaos that's IoT! And look its another student raising the alarm, just like Schrems.. Not the regulator.... They're doing little along with politicians etc.

    Overall I no longer believe this is accidental. I think every manufacturer wants in on 'spinal chord uplink / download'... Why? There's no margins making products anymore (thin scrapings on TV's etc).

    Every company / corporation wants to be like the golden boys in the room namely Facebook & Google. That's where the money's at. And they can only get to it by getting in on the snooping game. That's why both Samsung and Philips announced forced Ads on their old and new TV's in 2016. All the while unsure if its 100% legal in the EU, but not bothering to ask first either.

    Windows-10 slurping, Android Smartphone permissions, Smart TV Ads/Spying, now this. When is the pushback coming consumers??? The retailers and media are just as much to blame. They're willing zombies for the tech companies. 2017: Still no Linux / Foss options in stores etc.

  8. Anonymous Coward
    Anonymous Coward

    Doll vulnerable to backdoor attack?

    " It also suggests the doll is vulnerable to man-in-the-middle attacks, a backdoor attack, and pairing with an arbitrary Bluetooth device. "

    Is that really a children's toy, or do I just have a dirty mind?

    1. PNGuinn
      Childcatcher

      Re: Is that really a children's toy, or do I just have a dirty mind?

      Yes and yes.

  9. Anonymous South African Coward Bronze badge

    Emily wants to play...

    Google it.

  10. Anonymous Coward
    Anonymous Coward

    Cayla -- the one we know about!

    But here's the thing -- has this type of technology been hidden in mains powered consumer devices without our knowledge? Does the IoT kettle phone home all the conversations in the kitchen? Does the Nest thermostat phone home video from the bedroom? If yes, can the phoning home be intercepted by the much publicised "bad guys"?

    I thinks we should be told!!

    1. DropBear
      Joke

      Re: Cayla -- the one we know about!

      No idea. But in totally unrelated news, I'm just launching a startup selling a gizmo that just sits quietly in the corner and detecting wireless transmitters in range that aren't the ones it knows about (your phone etc.) - wanna get in on the ground floor...?

  11. SVV

    Internet of Things

    Isn't this exactly the sort of thing that tech companes and, yes, tech journalists have been tediously hyping of late? And so every damn thing you buy will have this sort of tech in it, be hackable (because the idiots making it won't care a damn thing for security if there's quick easy money to be made) and send every damn thing it sees or hears back to some large data slurping company or other, as well as governments who want to slurp it all too.

    Personally I'm happy to be called a luddite, for not being prepared to toleratew all this for the sake of having the latest new shiny stuff.

  12. TheProf
    Facepalm

    Horse stable door bolted

    Germany's Federal Network Agency waited until hundred/thousands/millions of these toys were sold before they decided to ban them?

    Shouldn't the powers that be be stopping these toys being imported and sold in the first place?

    I mean it's not as if the EU doesn't have a huge number of regulations and staff to see they are complied with. Someone should have noticed that the toy has a wireless transmitter built into it and asked what it's for.

    1. Mage Silver badge
      Big Brother

      Re: Horse stable door bolted

      "it's not as if the EU doesn't have a huge number of regulations and staff to see they are complied with."

      Actually, no. CE marks are not issued by the EU. It's also the responsibility of individual governments to inspect what is on sale to the consumer. In many cases the "regulator" or department is "captured" by big business (Comreg, Ofcom, Irish Finance Regulator and Anglo Irish Bank and many more).

      The issue is not the EU, but deliberate obstruction by Governments, who often make fake claims about what the EU is demanding (which in any case is decided in the first place by the Member States.). UKIP and fellow travellers are making UK LESS consumer and privacy friendly.

      1. RegGuy1 Silver badge

        Re: Horse stable door bolted

        You can't say this!

        Your average UKIP voting numpty won't know this, won't understand it, and won't care in any case.

        If it says 'EU' it's just bad. They have no idea what the EU is or what it does. And they DON'T WANT TO KNOW.

      2. Anonymous Coward
        Anonymous Coward

        Re: Horse stable door bolted

        > The issue is not the EU, but deliberate obstruction by Governments, who often make fake claims about what the EU is demanding

        And you don't know the half of it. :-(

      3. Anonymous Coward
        Anonymous Coward

        Re: Horse stable door bolted

        > UKIP and fellow travellers

        You mean the anti-EU groups whose leaders, er, draw a salary plus benefits from the EU Parliament? (cf. also the Front National and others)

  13. Graham Cobb Silver badge

    Regulation is required

    Consumer protection regulations, with significant penalties, are needed. Any devices (not just toys) that don't meet the following should be classed as illegal surveillance devices:

    1) All recording or monitoring (even locally on the device) of audio or video must be very clearly highlighted on packaging, and explained, and must be able to be fully turned off (no further monitoring at all, even for the activation command, until it is turned back on again), with a parental control lock to prevent re-enabling by children if the parent has turned it off.

    2) Any feature which can send audio or video (live or recorded) anywhere outside the device must require a locally processed activation command to initiate the recording/sending. This might be a spoken command (such as the name of the device), processed locally, but it could also be something like a button on the device or a menu item. The recording/sending must be for limited time (less than 1 minute, maximum duration explained on the packaging).

    3) Activation must not be possible remotely (even for law enforcement or "safety" purposes) - it must require a local user interaction.

    4) There must be feedback to people in range of the collection (e.g. an led or an icon on a screen) whenever the device believes it has received the command and so is recording/sending audio or video.

    If someone like the EU took the lead on this, then it is likely that these very reasonable protections would become generally accepted standards.

    1. Mage Silver badge
      Coffee/keyboard

      Re: Regulation is required

      We have the regulation.

      Governments are not interested in inspections and enforcement. Because it would cost money and upset large corporations, wholesalers, donors etc.

      1. Anonymous Coward
        Anonymous Coward

        Re: Regulation is required

        What about mass protests at the gates of the legislatures? Are they willing to burn 'em all?

    2. Ken Hagan Gold badge

      Re: Regulation is required

      "3) Activation must not be possible remotely (even for law enforcement or "safety" purposes) - it must require a local user interaction."

      I think all four of your suggestions are reasonable and should be taken up. However, I'm pretty sure I've read that mobile phones do not meet this third requirement. Therefore, this may be one that we have to compromise on in the short term.

    3. John Brown (no body) Silver badge

      Re: Regulation is required

      "If someone like the EU took the lead on this, then it is likely that these very reasonable protections would become generally accepted standards."

      Sadly for the UK, that would take more than two years and so likely not be implemented here. If by some miracle it did pass before Brexit, I have no doubt that whoever is Home Sec at the time would rescind it along with all the other "red tape" that the EU has "foisted" on us.

      1. John Brown (no body) Silver badge

        Re: Regulation is required

        A downvote? Is that you Theresa?

        1. Anonymous Coward
          Anonymous Coward

          Re: Regulation is required

          > Is that you Theresa?

          Yes.

  14. sysconfig

    Expectations

    If big companies who earn money with coms and networking (in the broadest sense) struggle to keep their stuff secure (TalkTalk, I'm looking at you, but not only at you), how on earth can anybody think that some random company from far far away can and will keep their cheaply produced IoT stuff secure? Even if it was secure at time of purchase, who is going to update their daughter's doll? I mean seriously.

    They did the right thing in Germany; the ban won't help much, but it raises awareness of the risks. It's a start, and goes quite in the opposite direction of what's happening here in the UK (as pointed out by someone else before).

    This whole Internet of Trash is going to blow up in all our faces, if it hasn't already (depending on what gadget you have bought or intend to buy, or what is forced on you).

  15. Anonymous Coward
    Anonymous Coward

    Trump ordered a few hundred....

    ... to send it to other world leaders as presents.

    Angela Merkel loves her doll .... she put it right on her desk..,

  16. Anonymous Coward
    Anonymous Coward

    Dolls with hidden device

    reminded me of Five Nights at Freddy's, where the doll (robot/ animatronic) will starts moving at night and stuff kids into the doll...

    I don't think a hammer will do. I need a flamethrower to exterminate the doll.

  17. Anonymous Coward
    Anonymous Coward

    Take it apart

    Problem solved.

    Better still, some enterprising hacker should figure out what makes it tick, and trace all the circuitry to see if its all just hype or not.

    Interesting factoid, if you work for TLAs you can now get smoke detectors which "look" exactly like the real thing and even detect smoke/heat but have a small 1080p camera hidden inside them.

    It can be set up to store data on a sanded off memory IC, etc and onetime pad locked so even if someone finds the thing the data is unreadable, sending its stored data via a randomized FHSS radio link at around 1.42 GHz synchronized to the use of RF-noisy devices such as domestic microwaves.

    The chip used is one or more 8 pin Flash chips possibly a 512Mbit version but the micro compresses the data while XORing with the onetime pad so that represents several tens of thousands of images.

    The camera is hidden inside a relatively normal looking bicolour clear LED which doubles as the "activity" light for alarm so you won't detect it but shining an IR camera at it got an abnormal response.

    In this case the centre pin is encoded video out 0.3V p-p with non standard sync pulses to defeat camera detectors.

    The worrying thing here is just how many of them are out there. When I discovered this and mentioned it online with pictures of the offending unit(s) the hall alarm mysteriously got changed a few days later for (presumably) a better unit because the 3/4G/Wifi interference went away and has not returned since.

    Checking with counter revealed nothing, although I did find part of it disposed of in a tray where the fire book sits and they denied all knowledge when asked if they wanted it back.

    1. Charles 9

      Re: Take it apart

      "Interesting factoid, if you work for TLAs you can now get smoke detectors which "look" exactly like the real thing and even detect smoke/heat but have a small 1080p camera hidden inside them."

      1080p? That's an improvement over the one I found at Amazon a couple years back. That only had 600TVL. Anyway, you don't have to be in a TLA to find such a camera. And yes, they ARE working smoke detectors, too.

    2. Charles 9

      Re: Take it apart

      "Better still, some enterprising hacker should figure out what makes it tick, and trace all the circuitry to see if its all just hype or not."

      And once you find out that the device is equipped with suicide circuits such that defeating the telemetry bricks the device?

      And then you find out they're standard equipement in all the devices you can find in the store and online these days?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like