Security Requirements for Smart Toys

Toys are an essential part of our culture, and they evolve as our technology evolves. Smart toys have been recently introduced in our market as conventional toys equipped with electronic components and sensors that enable wireless network communication with mobile devices that provide services to enhance the toy's functionalities. This environment, also called toy computing, provides users with a more sophisticated and personalised experience since it collects, processes and stores personal information to be used by mobile services and the toy itself. On the other hand, it raises concerns around information security and child safety because unauthorized access to confidential information may bring many consequences. In fact, several security flaws in toy computing have been recently reported in the news due to the absence of clear security policies in this new environment. In this context, this paper presents an analysis of the toy computing environment based on the Microsoft Security Development Lifecycle and its threat modelling tool with the aim of identifying a minimum set of security requirements a smart toy should meet. As result we identified 15 threats and 20 security requirements for toy computing.