You may be aware that anything connected to the Internet (computers, phones, tablets or any Internet-of-Things (IoT) device) comes with some risk, but what about children’s toys?
Dolls, robots, and fuzzy pets that respond to voice commands, record videos, and communicate with kids and parents through smartphone apps are often advertised as a “smart” toy, or a “connected toy.” What they really mean is “Internet-connected toy.”
Since other “smart” IoT devices seem to be near the top of everyone’s wish list this year, toy manufacturers are scrambling to take advantage of the craze. A quick online search of “2017 Top Holiday Gifts” shows plenty of smart webcams, smart home security systems, smart thermostats, smart TVs, and even a smart barbeque grill that connects to a smartphone app and tells you when your burger is cooked just right. You’ll also see tons of smart toys listed, but are these things really safe for kids? What kinds of information do the toys collect and where does it go? What should parents look out for?
Typically, a connected toy will have a microphone and speaker so it can listen, record, and reply to commands. Usually it has GPS to record location data. It may also have video capabilities, motion activators, and other sensors. One problem is that even when they’re not using it, kids can forget the doll is still listening and recording if it’s turned on. Imagine a stranger grabbing your child’s name, birthday, school, likes and dislikes, or even your kid’s voice. They could also grab a photo of your youngster and their friends, along with their location.
The first thing to consider is how does the toy itself secure the data it collects? Is it stored in the doll, or transmitted to the cloud? There are several reports of hackers grabbing over a million photos, voice recordings, and personal information that one manufacturer had stored in an Internet database but failed to lock up with a password.
Connections are another big weakness. How does the toy connect to the Internet? Some dolls connect through your home WiFi. Is your WiFi secure? What if I take the doll to a friend’s house? Can I connect and use it there? Some toys will connect to a parent’s smartphone over Bluetooth. Is the connection authenticated with a PIN, or can anyone within range connect to the doll? Is there an app for the smartphone? How does the app get updated? How does the software in the doll get updated?
In July the FBI issued a warning around Internet-connected toys and gave parents some advice including:
Before buying a smart toy, do an online search to see if there have been negative reports or reviews.
Read the company’s user agreement and privacy practices and make sure you are okay with them.
Pay particular attention to where your data is stored or sent, including third party services — and research their reputation.
Connect toys only to a secure WiFi access point.
If the toy uses Bluetooth, make sure it requires PINs or passwords when pairing with Internet-connected devices.
Make sure the toy uses encryption when transmitting data to the WiFi access point, the server or the cloud.
See if the toy can receive software updates and security patches and, if so, keep it updated to the most recent version.
Provide as little personal information as possible when setting up user accounts for the toy.
Turn the device off when not in use.
The acronym IoT has a new meaning — “Internet of Toys”— and just like the old abbreviation, for Internet of Things, this one comes with cybersecurity warnings. Security safeguards for these toys can be overlooked in the rush to market them and to make them easy to use. Parents need to take extra precautions and check these products for any problems that have been identified by security researchers or in consumer reports.
Original report from the Today show: https://www.youtube.com/watch?v=OkYVSag-uik
Watch a doll get hacked: https://www.youtube.com/watch?v=lAOj0H5c6Yc&feature=youtu.be
Full FBI advisory: https://www.ic3.gov/media/2017/170717.aspx
Weber iGrill (you know you want one): https://www.weber.com/US/en/product/igrill/
Chris Sorensen has been in the IT industry for over 30 years and is currently a cyber-security specialist for a fortune 10 company. In his spare time, he enjoys helping family and friends stay safe and secure on the Internet with tips and techniques delivered in a fun, non-technical style. Readers are welcomed to send questions to email@example.com.