UCL Department of Science, Technology, Engineering and Public Policy


STEaPP-led research exposes cybersecurity risks in fitness trackers and children’s toys

21 April 2021

A report by researchers from UCL STEaPP and PETRAS National Centre of Excellence has found that fitness devices and children’s smart toys, as well as other connected devices, can be easily manipulated by domestic abusers seeking to access private information and control victims.

DCMS report

As the use of fitness trackers during subsequent lockdowns has surged, experts are raising concerns about their safety and ability to reveal personal information about people’s bodies, homes and their movements.

Medical devices with similar capabilities are heavily regulated, but there is a grey zone between these and fitness devices which has resulted in a regulatory loophole.

In the report, commissioned by the Department for Culture, Media & Sport (DCMS), Dr Saheli Datta Burton, Dr Leonie Tanczer, Professor Madeline Carr and Dr Srinidhi Vasudevan from UCL STEaPP and Professor Stephen Hailes, UCL Computer Science, analyse the issues around fitness devices and set out the necessary steps to secure them for consumers. The researchers are also part of the PETRAS National Centre of Excellence, who helped to co-ordinate the report.

Lead author Dr Saheli Datta Burton (UCL STEaPP) explained: “We as consumers need to be more demanding about the safety and security of fitness devices that are increasingly becoming a part of our daily lives. It’s important we know who else can read our information, how it’s being processed, whether the readings can be changed to cause harm and what manufacturers and regulators are doing to protect us.

“It’s also important that we understand what the margin of error is when fitness trackers read our data, for example when they monitor our heartbeat. These are unlikely to be as accurate as more heavily regulated medical devices and could pose a safety risk.”

Similarly, children’s toys connected to the internet which can be controlled using a smartphone app, voice commands or a Bluetooth connection are coming under scrutiny because of privacy concerns from insecure wireless connections, their ability to track children’s movements and poor data protection, rendering them easy to hack into.

For example, security experts have discovered it is possible to access voice recordings stored in toys with microphones without providing authentication. The ease at which toys can be hacked into also raises concerns about exposing children to online grooming and bullying, which is currently seen as mainly a smartphone and computer issue.

With the market for connected toys expected to double to US$18bn by 2023, the report’s findings also raise ethical questions about normalising increasingly intrusive modes of surveillance, packaged in toys such as internet-connected action figures and dolls, robotic toys and learning toys.

The authors highlight a weak commitment to basic cybersecurity standards by a majority of manufacturers of smart devices, which often lack basic features such as inbuilt encryption, password protection before distribution, user authentication, regular audits and assessments.

The ONS estimates that domestic abuse affected an estimated 5.7% of adults (2.4million) in England and Wales in the last year, with the vast majority of cases involving a partner. Women also account for 82% of victims and survivors of intimate partner homicide cases.

Co-author Dr Leonie Tanczer (UCL STEaPP) said: “Technology-facilitated abuse in the context of intimate partner violence requires our urgent attention. The misuse of digital systems for the purpose of monitoring, harassing and restricting victims and survivors of domestic abuse is sadly here to stay and will only increase as smart, internet-connected devices become more widespread.

“I see a unique opportunity for legislators to intervene in the emerging Internet of Things market. IoT devices and services are not yet widespread enough to make it impossible to change safety, security, and privacy requirements. So I am hopeful that our report will bring attention to problems that – if not addressed soon – may haunt us for a very long time.”

The UK has been proactive in reviewing regulatory frameworks and best practices to support the ongoing development of connected devices (often referred to as the Internet of Things – IoT) to be safe and secure for consumers. The DCMS has developed the Code of Practice for Secure IoT Consumer Devices (CoP) with support from the National Centre of Excellence for IoT Systems.

The work is ongoing and the next phase of research will look to analyse how widely the CoP has been taken up since publication in March 2018.

The British Toy and Hobby Association, which represents the toy manufacturing industry, has responded by offering a range of guidance and called on members to adopt these, but the report’s authors stress that more needs to be done at manufacturer level to safeguard children’s toys.

They recommend a wider adoption of the CoP by manufacturers and uptake of the European Standards Organisation’s technical specification, which has been designed to bring together good practice in consumer IoT security and to meet European and wider global needs.

In the US, state agencies are held responsible for their own cybersecurity. Self-regulation is common in the private sector, and led by a patchwork of industry-led associations with stated cybersecurity mission statements. However, within these associations, market and revenue goals sometimes take precedence over mission statements. This is particularly problematic as oversight bodies in this area such as the US Consumer Products Safety Commission (CPSC), which are often underfunded, often rely on trade or industry associations’ resources to carry out their work.

The report, The UK Code of Practice for Consumer IoT Security: where we are and what next, can be downloaded from the DCMS website.