Germany Calls on Parents to Destroy Cayla Dolls

The German government has told parents to destroy a talking doll called Cayla.

The country’s telecom regulator, known as the Federal Network Agency or Bundesnetzagentur, is warning that hackers can use an insecure Bluetooth device embedded in the toy to listen and talk to the child playing with it.

The Cayla doll has access to the internet and search, so it can answer kids’ questions; i.e., how big is a whale? Is Donald Trump’s tan real? Etc. However, hackers using specialized tools can gain control over the device and make it say anything that they choose.

The vulnerability has been known since 2015, but Vivid Toy group has yet to fix the issue, despite complaints from US and EU consumer groups. It has not yet commented on the destruction call.

The EU Commissioner for Justice, Consumers and Gender Equality, Vera Jourova, told the BBC: "I'm worried about the impact of connected dolls on children's privacy and safety."

Germany’s concern is more esoteric and linked to the country’s 20th Century legacy of state surveillance: In the post-World War II era, it’s illegal to sell or possess a banned surveillance device; in fact, it can land a person in jail for up to two years.

Student Stefan Hessel, from the University of Saarland, found that a Bluetooth-enabled device could connect to Cayla's speaker and microphone system within a radius of about 10 meters. So, an eavesdropper could spy on someone playing with the doll. Presumably, the situation can be replicated in reverse; and indeed, a spokesman for the federal agency told Sueddeutsche Zeitung daily that Cayla amounted to a "concealed transmitting device…It doesn't matter what that object is—it could be an ashtray or fire alarm.” As such, it could be banned.

Cayla isn’t the first connected doll to come under fire. During the Christmas season in 2015, Mattel’s Hello Barbie was shown to be hackable as well, kicking off a conversation around connected toys in general.


What’s Hot on Infosecurity Magazine?