Techy toys make for some of the trendiest kids’ Christmas gifts, and what can be nerdier than interactive playthings and gadgets that give the adult versions — the likes of Alexa — a run for their money? Ask any child what’s cooler — an old-fashion Lego BB-8 droid or a BB-8 that can be controlled by a smart device? A plain ol’ Barbie or a doll called Cayla that can hold a conversation? A one-trick Tickle Me Elmo or a Furby that learns new phrases?
In a world where smart devices are indispensable and technology is embedded into everyday lives, many parents won’t think twice about a smart toy. These geeky toys are, after all, an extension of the internet-connected experiences that surround today’s digital-native youngsters.
But many of these toys are not all sugar and spice. They don’t just bring hours of interactive fun — they may be spying on your kids, and collecting data without you realizing it. And if that’s not enough to get them on Santa’s naughty list, these gadgets come with inherently poor security, increasing the possibility that someone with bad intentions can exploit them.
Smart toys and devices — those that connect to the internet to make interaction possible — depend on things like sensors, microphones, cameras and data transmission. Some can collect, record and transmit conversations and photo or video images; others collect physical location data, online browsing history and a variety of personal information like names and personal preferences. Many of them can be easily hacked.
Last year, the FBI issued a consumer notice warning that the features in connected toys can put the “privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.”
“The generation of 4-, 5- and 6-year-olds are dealing with smart bears and smart Barbies and other smart toys. It’s a different era and it does have implications for parents,” says Thad Dickson, a former Washington state licensed children’s counselor who is now working in the healthcare security space, as the founder and CEO of Xpio Health, a Gig Harbor technology and behavioral-health consulting firm.
Dickson, who has teenage kids, says the Genie is out of the bottle and parents can’t take a “luddite approach in a world that’s technologically enabled.”
“Parents now more than ever have to be a technologist to understand the environment their kids are living in every day,” he says.
Why Smart Toys Carry Privacy Risks
Smart devices, toys included, are part of the Internet of Things, or IoT — a network of objects and devices (such as smart watches, home appliances or cars), and even animals or people, that are embedded with sensors, electronics, computing components such as chips or software etc.; have unique identifiers; and can transmit data autonomously, or without requiring human interaction, either directly through WiFi or an internet wireless port, or indirectly via a Bluetooth connected to another device like a smartphone.
Bluetooth connectivity can be especially troublesome because the toys often don’t have authentication requirements like a PIN or password, so an unauthorized user can easily pair up with them.
“There are examples out there how Bluetooth technology can be easily hijacked without the knowledge of the third party,” Dickson says.
Unlike computers, IoT devices are designed to perform a specific function, and because their real estate is limited, manufacturers typically give priority to the functionality rather than “extras” like security features. They usually don’t have a user interface or administrator console for basic security like changing passwords (and default passwords can be found online with a little know-how). And unlike devices like smartphones or tablets, IoT objects, toys included, are difficult to patch with security updates.
The less expensive the smart object, the less likely it has security features even as basic as user-authentication protocols.
“It’s hard to put (security protocols) in toys with a low price point, so be aware that simple, basic toys that are whiz-bang and nifty are potentially exposing you to vulnerabilities, especially if they’re running data over the cloud,” Dickson says.
At the same time, the smart toys may be gathering positional data or may be always on and always listening (much like Alexa, Siri, Cortana and Google Assistant do, so they can hear their “wake-up” words), and the data collected during the interaction with the child is typically sent to the manufacturer or a third party and stored on a server or in the cloud. If the data is not encrypted both in transmission and where it’s stored, it can be intercepted or breached — and it doesn’t take a technical genius to exploit the vulnerabilities.
The privacy risks are not just theoretical. Here are some examples:
- Last year, a security researcher found an easily accessible database with the account information of more than 800,000 users of CloudPets, internet-connected stuffed animals, as well as almost 2.2 million unsecured recordings.
- Consumer-privacy advocates found that the connected doll My Friend Cayla recorded conversations without parental consent. (Germany consequently banned the toy, classifying it as concealed transmitting device; in other words, spyware.)
- In 2015, the database of popular interactive toys maker VTech was hacked, exposing over 2 million parent accounts and more than 227,000 children’s records including photos and chat logs, making it possible to identify and locate the kids. (VTech settled with the Federal Trade Commission early this year for $625,000 for violating privacy laws.)
Protecting Your Kids
As Dickson pointed out, as far as smart devices are concerned, the Genie is out of the bottle. And not all smart toys, of course, are insecure. But whether you’re looking to buy a smart toy this holiday season or you child already has one, you need to understand the risks and the threats and take steps to protect your kids’ privacy and safety.
“As parents, we can’t be passive of our role in understanding and gaining fluency of these devices — how they’re interacting with the kids, what they’re collecting, the limits we should put on them for safety reasons,” Dickson says. “It’s part of our ecosystem, and we need to be educated about what they do.”
Securing Your Smart Toys
The FBI recommends taking the following minimum steps before using internet-connected toys:
- Research for known reported security issues from sites that conduct cybersecurity research, consumer product reviews, and child and consumer advocacy.
- Use only trusted and secure WiFi connections for the toys.
- Research the toy’s internet- and device-connection security measures, including use of authentication such as PIN or password for Bluetooth connection, and use of encryption both for transmitting and storing the collected data.
- Research if firmware and software updates and security patches are available for the toy; if it can be patched, ensure the toy is running the most current version.
- Research where the collected data is stored — with the company, third-party services or both — and whether there are public reports about those companies’ reputation and cybersecurity posture.
- If a parent application is available, use it to closely monitor your child’s interaction with the toy, such as conversations and voice recordings.
- Turn the toy off when it’s not in use, especially if it has a microphone and camera.
- Use strong, unique login passwords when you create your user account.
- Provide only minimally required information for user accounts.
Carefully read disclosures and privacy policies (both from company and any third parties) and consider the following:
- Will the company notify you in the case of a cyberattack and potential data exposure?
- Will the company notify you if it discovers vulnerabilities to the toy?
- Where is your data being stored and who has access to it?
- Will the company notify you if it makes changes to the disclosure and privacy policies?
- Does the company openly list contact information in case you have questions or concerns?