SPICE Smart Toy Security Work Continues In Capstone Teams’ Research

Research, education, and outreach are a core mission of SPICE. As part of that continuing mission, Capstone teams are using smart toys in hacking workshops, and at job fairs as examples of the work we do.

The three SPICE Capstone teams have a combined total ten of undergraduates. Two of those teams are working in the area of smart toy security and privacy, specifically with one team working on Fisher Price's SmartToy Bear and the other working on Cloudpet's Unicorns and Cats. Severe security violations have previously been  discovered, with the worst being the theft of Cloudpet’s data and user accounts.

The goal of studying these toys is twofold. First, they are an example of smart toys which still dominate toy sales. It is important to confirm that previous security violations have, in fact, been fixed. Second, several of the vulnerabilities that were found are common across the IoT spectrum. These security issues must be systematically addressed at design, implementation, disclosure, and regulatory levels, making them superb teaching tools as well as active problems to be solved.

Capstone students are fourth year undergraduates who spend an entire year learning and working on a project addressing a real world problem. As they learn and demonstrate practical skills, they must also build a deliverable product by the end of the year.  That result will not only further the educational needs of SPICE, but can also follow through their educational and business lives as a proof of their hard work and abilities. Multiple teams aggressively sought after the slots for our “IoT Toy Challenge.” As a result, SPICE expanded our original one-team plan, creating space and resources for a second team.

While each team is led by a different SPICE Ph.D. student, the teams share a general learning plan. They work on different targets and follow different paths as their research leads them. The teams’ approach is practical using the tools of advanced research being taught and used in both groups. As Gianpaolo Russo, Ph.D. student advising one of the Capstone teams explains, their work is practical and challenging.

"These students are going through essentially an intensive boot camp in practical computer and network security. For some, this is their first time doing hands-on techniques, diving into protocols, parsing apart systems and software. It's a fire hose of information, but they are holding up well."

Since the teams are working on different devices, one on the Cloudpets and the other on the Fisher Price Bears, the directions of the research and the resultant deliverables are different even if the educational milestones are in the same structure and schedule. Both teams learn network scanning, data sniffing, target location, reverse engineering and a host of additional skills.  One team's focus is more towards target location and breaching while the other is more concerned with improving the ability of the public to understand and mitigate threats for practical home use. It is this nature of Capstone education that lets student leadership and teamwork come to the fore as project manager, Joshua Streiff, notes:

"The Capstone teams are finding security and privacy problems on their unique targets and are following their research where it leads them as teams. They demonstrate current, real world threats which are then taken to educators, parents, business and governments agencies who are stunned by what is possible and want to help us make these products safer for children to own and use."

In October, the Capstone teams’ work and training were leveraged both in a workshop for Indiana Women in Computing (INWIC 2017) and in outreach booths at the Indiana Statehouse. Threats discovered during the Capstone project were central to both efforts and received a strong and appreciative response.  INWIC affiliated SPICE faculty Professor Camp notes of the Capstone research she is supervising, 

"That we are using the Capstone team and REU results in October is impressive.  This combination of students and toys in research is a nexus of workplace skills for future graduates, safety for families that use the toys, and sheer fun."