León, December 13, 2024.- The National Cybersecurity Institute (INCIBE), an entity under the Ministry for Digital Transformation and Public Function, through the Secretary of State for Telecommunications, Digital Infrastructures and Digital Security, has today presented an innovative report on the security of connected toys, becoming the first European body to carry out a comprehensive analysis according to the criteria of the Cyberresilience Law (CRA) of the European Union. This report is part of the actions that Spain leads to guarantee the protection of consumers and companies against the vulnerabilities of devices with digital components.
The EU Cyber Resilience Act (CRA) has entered into force in December 2024 and has a three-year transition and adoption period. From there, compliance will be mandatory for manufacturers and distributors of products marketed in the EU. In addition, Member States will have to carry out a level of inspection between 3% and 10% of the products on the market, depending on the risk, product criticality, category and volume on the market.
Therefore, Spain, through INCIBE, is the first European country to do this analysis, in the current voluntary phase.
The event, held at the headquarters of INCIBE in León, was attended by the Minister of Digital Transformation and Public Function, Óscar López, and the Secretary of State for Telecommunications, Digital Infrastructures and Digital Security, Antonio Hernando.
In his speech, the minister stressed: "With this report, Spain reinforces its leadership in the implementation of the Cyber Resilience Law, not only by complying with European standards, but by anticipating its demands. Connected toys are a sample of how technology can be an ally of leisure and learning, provided they are used safely. This joint effort with manufacturers and consumers is essential to especially protect the most vulnerable, our children."
Key Report Results
To carry out the study, INCIBE has selected 26 smart toys, taking into account the best sellers on online platforms. These toys have the ability to handle user data: video or audio recording, bluetooth or wifi connection or mobile application for device handling.
Therefore, their vulnerabilities have been evaluated and improvement requirements have been identified for manufacturers, reinforcing key protection aspects, ensuring that the product meets the highest safety and reliability standards of the products analyzed. They have also been accompanied by recommendations to provide consumers with a safe and quality user experience.
The study provides the following information and results:
Critical points identified: Some products have encountered problems such as unsafe configurations by default, which may allow the unsafe transmission of sensitive data such as passwords, deficiencies in the implementation of security updates or vulnerable mobile applications, which could allow the exploitation of vulnerabilities and even remote control of the device by attackers.
Evaluated attack vectors: 8 key areas have been evaluated, dividing toys according to their connection technologies and exposure surfaces: analysis of vulnerabilities and update capabilities for their remedy, examination of mobile and/or desktop applications necessary for the functionality of the toy, analysis of strength against common attacks, and analysis of the security of physical and wireless connections.
Improvement proposals: suggestions for families and manufacturers to strengthen cybersecurity and digital trust, aligned with the European Cyberresilience Act (CRA).
During the presentation, a live demonstration was held to illustrate how an attacker could compromise a remote-controlled toy car and use it as a bridge to access other devices on the home network. This practical exercise highlighted the importance of strengthening protection measures in products aimed at children.
Commitment to digital security
The report is part of INCIBE’s broader strategy to work closely with manufacturers and foster responsible innovation. In addition, for more information, you can access the "Guide to the safe use of Connected Toys", launched in 2018 with the Spanish Association of Toy Manufacturers, which consolidates INCIBE as a reference in cybersecurity for minors.