Be aware: Connected toy security and privacy risks have arrived this holiday


Internet-connected toys are popular – and your children may have received some over the holidays, but are you aware of the security risks?

We know that IoT devices are notoriously insecure. Too often they are difficult to update when security vulnerabilities are uncovered — if users are notified of updates at all. The problem with these toys is that they can be used by snoops and predators. It’s not necessarily a high risk that any child’s toy, or child, would be specifically targeted, but it is a real risk worth considering.

Earlier this year, the FBI released a public service announcement that encouraged consumers to take security into account when introducing smart toys into their homes. “Smart toys and entertainment devices for children are increasingly incorporating technologies that learn and tailor their behaviors based on user interactions. These toys typically contain sensors, microphones, cameras, data storage components and other multimedia capabilities – including speech recognition and GPS options. These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed,” the FBI wrote.

Because these devices are designed to grab conversation details in the room where the device is being used, all sorts of personal information can be collected. This is information — name, school, friends, hobbies, family names, whereabouts — can be used by criminals and predators.

An attack on a device itself is not the only privacy concern; there’s also a lot of concern about how these manufacturers use the data they collect. According to the FBI, “companies collect large amounts of additional data, such as voice messages, conversation recordings, past and real-time physical locations, Internet use history and Internet addresses/IPs. The exposure of such information could create opportunities for child identity fraud. Additionally, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks.”

If you think these concerns are overblown, think again. Consider this blog from Troy Hunt, Data from connected CloudPets teddy bears leaked and ransomed, exposing kids’ voice messages, which explains the story of how a toy’s data – messages from parents to their children – were being stored online and left unprotected. The unsecured database was discovered and well over 583,000 records were exposed.

There have been toys with many security concerns in recent years. Running into the holiday shopping season, there were even calls to ban the sale of IoT toys with proven security flaws.

“Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution. Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold,” said Alex Neill, managing director of home products and services at consumer advocacy organization Which? in a statement.

The reality is the sales of IoT toys are going to do just fine, and few people will eschew them for fear of security issues. So what should people do? The FBI provides great advice in their advisory:

  • Research for any known reported security issues using online resources from sites that conduct cyber security research, consumer product reviews, and child and consumer advocacy
  • Only connect and use toys in environments with trusted and secured wi-fi internet access
  • Research the toy’s internet and device connection security measures
    • Use authentication when pairing the device with Bluetooth (via PIN code or password)
    • Use encryption when transmitting data from the toy to the wi-fi access point and to the server or cloud
  • Research if your toys can receive firmware and/or software updates and security patches
    • If they can, ensure your toys are running on the most updated versions and any available patches are implemented
  • Research where user data are stored – with the company, third party services or both – and whether any publicly available reporting exists on their reputation and posture for cybersecurity
  • Carefully read disclosures and privacy policies (from company and any third parties) and consider the following:
    • If the company is victimized by a cyberattack and your data may have been exposed, will the company notify you?
    • If vulnerabilities to the toy are discovered, will the company notify you?
    • Where is your data being stored?
    • Who has access to your data?
    • If changes are made to the disclosure and privacy policies, will the company notify you?
    • Is the company contact information openly available in case you have questions or concerns?
  • Closely monitor children’s activity with the toys (such as conversations and voice recordings) through the toy’s partner parent application, if such a feature is available
  • Ensure the toy is turned off, particularly those with microphones and cameras, when not in use
  • Use strong and unique login passwords when creating user accounts (e.g., lower and uppercase letters, numbers and special characters)
  • Provide only what is minimally required when inputting information for user accounts (e.g., some services offer additional features if birthdays or information on a child’s preferences are provided)

While that’s good advice, it’s also asking parents, grandparents, and other guardians to take on the role of system administrators for connected toys. But it’s the new reality of today’s connected-everything world.


Want good IoT security? It’s up to each and every one of us

Industry 4.0 and IoT pose new security challenges

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.