Security requirements and tests for smart toys

Abstract

The Internet of Things creates an environment to allow the integration of physical objects into computer-based systems. More recently, smart toys have been introduced in the market as conventional toys equipped with electronic components that enable wireless network communication with mobile devices, which provide services to enhance the toy’s functionalities and data transmission over Internet. Smart toys provide users with a more sophisticated and personalised experience. To do so, they need to collect lots of personal and context data by means of mobile applications, web applications, camera, microphone and sensors, for instance. All data are processed and stored locally or in cloud servers. Naturally, it raises concerns around information security and child safety because unauthorised access to confidential information may bring many consequences. In fact, several security flaws in smart toys have been recently reported in the news. In this context, this paper presents an analysis of the toy computing environment based on the threat modelling process from Microsoft Security Development Lifecycle with the aim of identifying a minimum set of security requirements a smart toy should meet, and propose a general set of security tests in order to validate the implementation of the security requirements. As result, we have identified 16 issues to be addressed, 15 threats and 22 security requirements for smart toys. We also propose using source code analysis tools to validate seven of the security requirements; three test classes to validate seven security requirements; and specific alpha and beta tests to validate the remaining requirements.