Continuing about the interesting findings from the Museum of Failures. Meet My Friend Cayla, a doll that can answer children’s questions about everything under the sun. Released by Genesis Toys in 2014 and discontinued in 2017. In Germany, it was banned as a surveillance device because it turned out that the manufacturer not only sold gathered information to third parties but also sold partners the propaganda of their products through the doll’s speech.
By the way, if you thought this involves something like an embedded ChatGPT, no, for 2014 that would still be too much. Essentially, the doll was a Bluetooth headset for a phone, requiring a special app that sent audio to a server, recognized it, processed it, synthesized a response, and sent it back to the phone. This app partially used the internet to search for responses and partially its own DB. Meanwhile, Genesis Toys equipped her with a “personality” to keep the questions about the doll consistent.
If Cayla didn’t have a ready response in the local database, she would use the Wikipedia API.
She also has a list of approximately 1,500 “bad words.” If a child requests them or if they are present in a Wikipedia response, Cayla will give a sanitized generalized response: “I don’t want to talk about this.” It is asserted that “gay marriage” is listed in the category of “bad words.”
Germany eventually recommended parents not only dispose of the doll but actually destroy it before throwing it away, as the doll formally qualified as a spying device and violated local laws. From what I understand, it was even prohibited not just to sell the doll, but to simply possess it in Germany. Moreover, they were required not just to destroy it but to do so officially, acquire a document proving its destruction, and send this document to the authorities. Otherwise, a fine of 26,000 euros and/or imprisonment awaited.
Now, why exactly a mere headset in a doll caused so much uproar. Basically, there were four vulnerabilities:
1. Dangerous Stalker – altering the database content on the child’s mobile device. A strange vulnerability, but okay.
2. Man-in-the-Middle (MitM) Attack – between the phone and the internet with data request/response alterations during transmission. This one’s rather serious.
3. Guys found a backdoor. This point was translated by ChatGPT as “The backdoor gap of Cayla herself.”
4. Random Pairing – when the host device exits the range, a malicious device can be connected with a single touch to confirm.
So, some startups can indeed be painful;)
Hi, I'm Rauf Aliev. 