Spying and security flaws take the shine off smart toys
Parents are being warned to avoid buying ‘‘smart toys’’ this Christmas, after the extent of their security vulnerabilities and data sharing was revealed.
An investigation by The Times found that almost two-thirds of popular connected toys shared data with third parties such as advertising companies, and in 28 per cent of cases the makers did not say whether children’s data was protected by encryption.
One company’s 3683-word privacy policy indicates that children as young as three are expected to study the document and secure their parent or guardian’s permission before sharing data and messages.
Two of the toys studied by The Times have been hacked by security researchers, meaning they could be used to spy on children, while others appeared to lack basic safeguards.
Britain’s children’s commissioner, Anne Longfield, said the industry was not being transparent and that data, including photos and audio recordings of children, was sent to ‘‘who knows where’’.
Toys that connect directly to the internet or sync to a user’s smartphone are increasingly popular.
Concerns have been mounting since 2016, when experts warned that the microphone-enabled My Friend Cayla doll was accessible over an unsecured Bluetooth connection, allowing strangers to listen to and even talk to children.
It was subsequently revealed that 2.2 million voice recordings of children collected by Cloud Pets soft toys were accessed by hackers after the data was stored insecurely.
The toys studied by The Times included the Vtech InnoTab Max tablet, for children aged three to nine. The tablet, which has a camera and microphone, shares users’ data with an unspecified number of third parties.
The Chinese company’s privacy policy has a ‘‘special note to children’’, saying their parent or guardian should know that use of its services could result in their data being transferred to countries where laws may not provide the same protection as in the United Kingdom.
Sure Cloud, a security company, recently discovered a security flaw in the tablet, which meant it could be hacked remotely to spy on children.
Vtech has issued a patch to address the problem, but this is not the first security scare for the Chinese company. Details of hundreds of thousands of user accounts, including photos of children, were exposed in a breach three years ago.
Another toy, the Parker teddy bear, requires users to download an iPad app that requests permission to access the user’s camera. The manufacturer, Seedling, collects data, including users’ whereabouts when they log into the app, and data from their Facebook accounts if they sign up via Facebook. The privacy policy says it cannot guarantee the security of the information it holds.
The findings come after the Mozilla Foundation recently published a report on ‘‘smart’’ tech, which found that only five of 18 products in the toy category met the organisation’s minimum safety standards.
Other toys passed the foundation’s safety standards but still raised concerns. For example, the authors noted that the Amazon Fire HD Kids Edition tablet enabled the retailer to access a child’s data ‘‘from the cradle’’.