Innovation is easy, but adaptation is hard: Best infosec long reads 6/13/26

Happy Saturday to all!

Full access to Metacurity's curated infosec long reads is available to paid subscribers. Our goal is simple: make it financially viable to keep investing the time and expertise required to find, vet, and contextualize the most important security journalism each week. Free readers will still get highlights, but subscribers will get the complete, deeply curated set.

Please help support Metacurity in achieving our goal by upgrading your subscription to gain full access to this issue and all content published on Metacurity, including the archives.

6/13/26: This week's infosec long reads suggest that technological progress is increasingly outpacing society's ability to manage it, making resilience, security, and adaptation more important than innovation alone. Whether discussing insecure smart toys, AI-powered cyber defense, the US-China AI competition, smart homes, or cyber-resilient critical infrastructure, each piece argues in its own way that the key challenge is building the safeguards, institutions, and engineering practices needed to ensure powerful technologies remain beneficial rather than becoming sources of risk.

The International Security Scandal of My Friend Cayla

In her blog called the Cut Price Guignol,  Scottish writer Lou, Queen of the Guignol, recounts how My Friend Cayla, a Bluetooth-connected talking doll marketed as an interactive companion, became an international privacy and security scandal after researchers discovered it could be easily hacked, used to eavesdrop on children, and potentially collect personal data—leading Germany's Federal Network Agency to classify it as a prohibited espionage device and effectively ban it.

[I]t wouldn’t take long till Cayla was revealed to be scary in an entirely more palpable fashion. On 30th January 2015, the Tech Tent, a show on the BBC World Service, shared a clip of security researcher Ken Munro, who had identified a unique vulnerability in Cayla’s software – specifically, that the app, which was unprotected by any kind of passcode, could be hacked to force Cayla to say almost whatever the hacker wanted. To prove his point, Munro has Cayla take a very different approach to her usual friendly nature. “I’m in charge now,” Cayla announces. “You might thing I am just a sweet toy, but now I have been hacked, I can say all sorts of scary things”. Munro encouraged parents to keep Cayla turned off when not in use and to carefully lock down all devices attached to her.

But it wasn’t just Munro who raised concerns about the toy’s vulnerabilities. Towards the end of 2015, Tim Medin, of Red Siege Information Security, tested the limits of the doll’s security, and found that not only could the app be hacked to allow her to say whatever you wanted, but that you could play any noises you wanted through her speakers – which he proved by running some of the sound effects and screams from the movie Poltergeist through Cayla. Additionally, Medin remarked on how easily the toy could be repurposed into a remote speaker by anyone close enough to connect via Bluetooth. “”In an apartment complex many people could be in range of this device and use it for nefarious purposes,” he pointed out. “This toy can be used to listen to, and communicate with a child with no authentication required.”

In theory, the toy was protected from covert access because the doll’s necklace was supposed to light up whenever it was switched on. However, as Stefan Hessel, a law student from Germany, pointed out, that feature could easily be turned off using the app, meaning that anyone within a certain radius of the doll could feasibly be listening in without anything to raise the alarm.

With the doll’s vulnerabilities laid bare right before Christmas shopping season, Genesis Toys swiftly tried to brush off the concerns about the issues with Cayla’s security. General manager of Genesis, Peter Magalhaes, insisted that “Cayla was basically the subject of a tech prank”, and the toy was stocked on shelves that year, landing in homes across Europe and America.

But the criticisms didn’t end there. European consumer watchdog Beuc identified certain biases in the answers that Cayla would give, indicating a particularly affinity for Disney products, adding in a layer of covert marketing that feels particularly cynical to attach to a child’s toy like this. Perhaps more concerningly, though, they pointed out that Nuance Communication, the company through with the doll’s audio input was processed, reserved the right to share the information received with third parties, meaning that children’s recorded conversations could feasibly be used in further targeted marketing.

However, the harshest statement against the toy came in early 2017, when Hessel released a legal opinion about whether the doll’s security vulnerabilities constituted a violation of the German Telecommunications Act. In his conclusion, Hessel noted that “…my friend Cayla” is a camouflaged transmitter that is also suitable for secretly listening to conversations. However, it is questionable whether there is also a determination of the transmitter system. From the author’s point of view, there are decisive reasons for the fact that the dummy is also intended for listening and thus a prohibited transmitter…”

Hessel submitted this opinion to authorities, and, in February 2017, a spokesperson for the Federal Network agency confirmed their conclusions: the doll met all the criteria of a prohibited spy device. This meant not only that the doll had to be taken off the market in Germany with immediate effect, but that anyone in possession of a doll would be called upon to destroy it at once. Due to the ruling of the toy as a prohibited transmitter, sale and possession could land anyone who owned the doll in prison for up to two years due to its classification as a concealed espionage device.