Be wary of ‘smart’ toys
The acronym IoT has a new meaning — “Internet of Toys” — and just like the old abbreviation, for Internet of Things, this one comes with urgent cybersecurity warnings. The FBI is cautioning that internet-connected toys, also known as “smart toys,” can be compromised by hackers. The FBI’s Internet Crime Complaint Center goes into extraordinary detail in its release, saying strangers can pinpoint your address, snag children’s names and birth dates, download your son or daughter’s photo and even listen in on your conversations and record your child’s voice.
This is not just a heads up about potential child identity theft. The FBI has more serious concerns: “The potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks,” the release states. “The FBI encourages consumers to consider cybersecurity prior to introducing smart, interactive, internet-connected toys into their homes.”
So what types of toys should parents scrutinize? Here are several risk factors provided by the FBI and Security Intelligence. com. Be cautious if the toy:
Connects directly to the internet via Wi-Fi or connects via Bluetooth to a device which is, in turn, connected to the internet.
Contains speakers, microphones, a recording device, cameras, or wireless transmitters and receivers.
Has speech-recognition capability and GPS capability. Connects to a mobile app. Requests name, address, date of birth or other personal information when you register. Stores your data internally. Sends your data to the manufacturer or partners.
Has cloud connection capability.
Remains connected to the cloud even when it’s off.
Does not come with an End User License Agreement or EULA, or the cloud storage provider is not identified in the EULA.
The concern is more than theoretical. Several specific toys already have come under fire.
In February, Germany banned an internet-connected doll called My Friend Cayla and advised parents who already own one to destroy it. Cayla, made by Genesis toys, contains an internal microphone that criminals could use to listen in on children — but that’s not all. The Norwegian Consumer Council says strangers could also speak to children through Cayla and demonstrated how it could be done in a wellproduced YouTube video.
Another controversy, also in February, involved Cloud Pets, which are internet-connected stuffed animals that allow parents and children to leave voice messages for each other. A security researcher discovered a couple million of those voice recordings in a poorly secured internet database. And because manufacturer Spiral Toys did not require complex passwords, it was feasible for hackers to access the recordings. Spiral Toys chief executive Mark Meyers told NetworkWorld, “We looked at it and thought it was a very minimal issue.”
Earlier, V-Tech acknowledged that close to 5 million of its customers’ Learning Lodge, Kid Connect and other accounts were hacked. Those accounts allowed children to download games or communicate with their parents on V-Tech devices. A hacker was able to access children’s photos, names, dates of birth, addresses and chat histories. The Motherboard website shared portions of hacked family photos and a child’s recording to demonstrate that the threat was real.
How available are internetconnected toys? A quick internet search revealed smart toy technology housed in dolls, stuffed animals, dinosaurs, unicorns, teddy bears, stationary bicycles, wrist bands, children’s tablets — and more. That’s why, in June, the Federal Trade Commission updated its guidance about COPPA, the Children’s Online Privacy Protection Act, to include internet-connected toys.
Meanwhile, the FBI suggests parents take several steps to protect their children from the potential dangers:
Look for internet-connected toys that are certified by an FTCapproved group that has verified they protect children’s privacy.
Connect toys only to a secure Wi-Fi access point.
Find out if the company will notify you if it suffers a data breach or discovers vulnerabilities.
Provide as little personal information as possible when setting up user accounts for the toy. Choose strong, unique passwords when creating your account.
If you believe your child’s toy has been compromised, file a complaint with the FBI’s Internet Crime Complaint Center.
Or, if all this vigilance sounds overwhelming, you could always send your kids outside to play.