UPDATED: Dec. 27, 2017
Did your child get an Internet-connected toy for Christmas or Hanukkah? There are risks associated with such toys and in this blog post I will share some of them, as well as details some tips you can take to help keep your child safe.
Toys with an internet connection have the same vulnerabilities and issues of any other Internet of Things device, which are numerous as this recent Wired.com story “Don’t Get Your Kid An Internet-Connected Toy” points out: “The IoT industry in general has a long way to go in terms of overall security, and toys as a subcategory are no exception.”
The FBI even issued a warning in 2017 about privacy concerns inherent with internet-connected children’s toys. They encourage consumers to consider cybersecurity before purchasing interactive, Internet-connected toys.
In 2015, more than 6 million user profiles were exposed in the VTech breach, putting the personal info of children at risk. In February 2017, the German government banned the internet-connected My Friend Cayla doll over spying concerns and went so far as to urge parents to destroy them. And a CloudPets database started leaking private information in December 2016, including audio recordings uploaded by children and parents alike, as well as profile pictures of kids, as detailed in this Forbes story. Even worse, Spiral Toys, the maker of CloudPets, didn’t seem to take the breach seriously or even respond to concerned security researchers until reports appeared online.
“Smart toys and entertainment devices for children are increasingly incorporating technologies that learn and tailor their behaviors based on user interactions,” according to the FBI release published July 17, 2017. These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities – including speech recognition and GPS options.”
These are all features that could put the privacy and safety of your kids at risk, according to the release. How so?
- Toys with microphones could potentially record and collect conversations.
- With some toys, personal information, like name, date of birth, address, pictures, etc. is requested when creating a user account.
- Some companies collect additional data that includes voice messages, past and real-time physical locations, and Internet addresses/IPs.
This information presents two types of risk. The first risk is child identity theft, which is more prevalent than you might know. Five percent of the identity theft victims in 2015 were under the age of 19, according to the Federal Trade Commission. Read our blog post for signs your child’s identity may have been stolen, as well as some tips on how to keep your child’s identity safe. The second risk is of exploitation.
“The potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risk,” according to the release.
8 Tips to Protect Your Child’s Privacy and Safety
Look at those user agreement disclosures and privacy policies to find out where your family’s personal information is being stored or even worse, sold. Remember, that data could also be exposed in a data breach, which are increasingly prevalent. Breaches in the first half of 2017 were 29 percent higher than 2016 figures during the same time period, according to recent stats released by the Identity Theft Resource Center.
- Before bringing home the latest tech toy, do your due diligence and research a product, paying specific attention to any issues that have been brought to light by security researchers or other concerned parents.
- Only connect and use toys in environments with trusted and secured Wi-Fi Internet access
- Research if your toys can receive firmware and/or software updates and security patches. If they can, ensure your toys are running on the most updated versions and any available patches are implemented
- Closely monitor children’s activity with the toys (such as conversations and voice recordings) through the toy’s partner parent application, if such features are available
- Ensure the toy is turned off, particularly those with microphones and cameras, when not in use
- Don’t just use the default user names and passwords. Take the time to customize the device setup and be sure and use strong and unique login passwords when creating user accounts (e.g., lower and upper case letters, numbers, and special characters)
- Provide only what is minimally required when inputting information for user accounts (e.g., some services offer additional features if birthdays or information on a child’s preferences are provided)
- Finally, if you’re concerned your child’s toy may have been compromised, file a complaint with the Internet Crime Complaint Center at www.IC3.gov.