Security Requirements for Smart Toys

Luciano Gonçalves de Carvalho, Marcelo Medeiros Eler

2017

Abstract

Toys are an essential part of our culture, and they evolve as our technology evolves. Smart toys have been recently introduced in our market as conventional toys equipped with electronic components and sensors that enable wireless network communication with mobile devices that provide services to enhance the toy's functionalities. This environment, also called toy computing, provides users with a more sophisticated and personalised experience since it collects, processes and stores personal information to be used by mobile services and the toy itself. On the other hand, it raises concerns around information security and child safety because unauthorized access to confidential information may bring many consequences. In fact, several security flaws in toy computing have been recently reported in the news due to the absence of clear security policies in this new environment. In this context, this paper presents an analysis of the toy computing environment based on the Microsoft Security Development Lifecycle and its threat modelling tool with the aim of identifying a minimum set of security requirements a smart toy should meet. As result we identified 15 threats and 20 security requirements for toy computing.

References

  1. Biswas, D., 2012. Privacy Policies Change Management for Smartphones. In IEEE International Conference on Pervasive Computing and Communications Workshops, pages 70-75.
  2. Canadian Public Works and Government Services, 2000. Personal Information Protection and Electronic Documents Act.
  3. Baraniuk, C., 2016. Call for privacy probes over Cayla doll and i-Que toys. BBC News, Technology, 6 Dec 2016. Accessed 12 Dec 2016, available at <http://www.bbc.com/news/technology-38222472>.
  4. Broll, G., Hubmann, H., Prezerakos,G., Kapitsaki, G., Salsano, S., 2007. Modeling Context Information for Realizing Simple Mobile Services. In Mobile and Wireless Communications Summit, 2007. 16th IST, pp. 1-5.
  5. Deloite, 2015. Global Mobile Consumer Survey: US Edition - The rise of the always-connected consumer. Accessed 22 May 2016, available at <http:\\www.deloitte.com/us/mobileconsumer>.
  6. Fox-Brewster, T., 2016. Hackers Could Have Turned Vulnerable Smart Teddy Bear Into Demon Toy. Forbes, Security, 2 Feb 2016. Accessed 08 Dec 2016, available at <http://www.forbes.com/sites/thomasbrewster/2016/0 2/02/fisher-price-hero-vulnerable-tohackers/#359130c71cfe>
  7. GAO, 2016. United States Government Accountability Office. Information Security - Agencies Need to Improve Controls over Selected High-Impact Systems, GAO-16-501. Accessed 24 May 2016, available at <http://www.gao.gov/assets/680/677293.pdf>
  8. Hackett, R., 2016. This FisherPrice Smart Toy Bear Had Data-Leak Vulnerability. Fortune, Tech Internet of Things, 2 Feb 2016. Accessed 08 Dec 2016, available at < http://fortune.com/2016/02/02/fisher-price-smarttoy-bear-data-leak/>
  9. Lipner, S., 2004. The Trustworthy Computing Security Development Lifecycle. Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), IEEE.
  10. Mead, N., 2006. SQUARE Process. The Build Security In. Software Engineering Institute, Carnegie Mellon University. Accessed 03 Nov 2016, available at <https://www.us-cert.gov/bsi/articles/best-practices/
  11. Mead, N., Hough, E., Stehney, T., 2005. Security Quality Requirements Engineering (SQUARE) Methodology. CMU/SEI-2005-TR-009, Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.
  12. Microsoft, 2011. Security Development Lifecycle, SDL Process Guidance. Version 5.1, April 14. Accessed 24 Feb 2017, available at <http://www.microsoft.com/sdl.>
  13. Nagappan, M., Shihab, E., 2016. Future Trends in Software Engineering Research for Mobile Apps. In IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), Volume 5, pages 21-32.
  14. Newman, J. 2015. Internet-connected Hello Barbie doll can be hacked. PCWorld, Security, News, 7 Dec 2015. Accessed 12 Dec 2016, available at
  15. <http://www.pcworld.com/article/3012220/security/intern et-connected-hello-barbie-doll-can-be-hacked.html>
  16. Ng, M., Chow, M., Salgado, A., 2015. Toys and Mobile Applications: Current Trends and Related Privacy Issues. Mobile Services for Toy Computing. International Series on Computer Entertainment and Media Technology, Springer, 2015, p. 51-76. ISSN 2364-947X.
  17. Rafferty, L.; Hung, P., 2015. Introduction to Toy Computing. Mobile Services for Toy Computing. International Series on Computer Entertainment and Media Technology, Springer, 2015, p. 1-7. ISSN 2364- 947X.
  18. Rafferty, L., Fantinato, M., Hung, P., 2015. Privacy Requirements in Toy Computing. Mobile Services for Toy Computing. International Series on Computer Entertainment and Media Technology, Springer, 2015, p. 141-173. ISSN 2364-947X.
  19. Rafferty, L., Hung, P., Fantinato, M., Peres, S., Iqbal, F., Kuo, S., Huang, S., 2017. Towards a Privacy Rule Conceptual Model for Smart Toys. In Proceedings of the 50th Hawaii International Conference on System Sciences, HICSS, Jan 04.
  20. Secure Software, 2005. The CLASP Application Security Process. Secure Software, Inc. Accessed 16 Nov 2016, available at <https://www.ida.liu.se/TDDC90/literature/papers/cl asp_external.pdf>.
  21. Sindre, G., Opdahl, A., 2005. Eliciting Security Requirements with Misuse Cases. Requirements Eng.,
  22. vol. 10, no. 1, pp. 34-44.
  23. Sommerville, I., 2011. Software Engineering. 9th Edition, Pearson Education.
  24. Tondel, I., Jaatun, M., Meland, P., 2008. Security Requirements for the Rest of Us: A Survey. IEEE Software, vol. 25, Issue No. 1 - January/February.
  25. United States Federal Trade Commission, 1998. Children's Online Privacy Protection Act of 1998. Accessed 27 Nov 2016, available at <http://www.coppa.org/coppa.htm>.
  26. Viega, J., 2005. Building Security Requirements with CLASP. In Proceedings of the 2005 Workshop on Software Engineering for Secure Systems & Mdash, SESS'05, May 15-16, St. Louis, MO, USA.
  27. Zapata, B., Niñirola, A., Fernández-Alemán, J., Toval, A., 2014. Assessing the Privacy Policies in Mobile Personal Health Records. In 36th Annual International Conference of the IEEE Engineering in Medicine and Biology Society, pages 4956-4959.
Download


Paper Citation


in Harvard Style

Gonçalves de Carvalho L. and Medeiros Eler M. (2017). Security Requirements for Smart Toys . In Proceedings of the 19th International Conference on Enterprise Information Systems - Volume 2: ICEIS, ISBN 978-989-758-248-6, pages 144-154. DOI: 10.5220/0006337001440154


in Bibtex Style

@conference{iceis17,
author={Luciano Gonçalves de Carvalho and Marcelo Medeiros Eler},
title={Security Requirements for Smart Toys},
booktitle={Proceedings of the 19th International Conference on Enterprise Information Systems - Volume 2: ICEIS,},
year={2017},
pages={144-154},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006337001440154},
isbn={978-989-758-248-6},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 19th International Conference on Enterprise Information Systems - Volume 2: ICEIS,
TI - Security Requirements for Smart Toys
SN - 978-989-758-248-6
AU - Gonçalves de Carvalho L.
AU - Medeiros Eler M.
PY - 2017
SP - 144
EP - 154
DO - 10.5220/0006337001440154