Toys behaving badly: How parents can protect their family from IoT threats

The Internet of Things (IoT) is changing the way we live and work. From smart pacemakers to fitness trackers, voice assistants to smart doorbells, the technology is making us healthier, safer, more productive and entertained.

At the same time, it has also provided opportunities for manufacturers to market flashy new toys for our children. The global market for smart toys is set to see percentage growth in the double digits, to exceed US$24 billion by 2027. But when connectivity, data and computing meet, privacy and security concerns are never far away.

Chances are that you, too, are considering buying one of these toys for your children and so encourage their learning and creativity. However, to protect your data and privacy (and your child’s safety!), it pays to do some research before taking a leap into the world of connected toys.

What are smart toys and what are the cyber-risks?

Smart toys have been around for several years. Like any IoT device, the idea is to use connectivity and on-device intelligence to deliver more immersive, interactive and responsive experiences. This could include features like:

• Microphones and cameras that receive video and audio from the child
• Speakers and screens to relay audio and video back to the child
• Bluetooth to link the toy up to a connected app
• Internet connectivity to the home Wi-Fi router

With this kind of technology, smart toys can go beyond the inanimate playthings most of us grew up with. They have the power to engage children through back-and-forth interaction and even acquire new functionality or behaviors by downloading additional capabilities from the internet.

Unfortunately, manufacturers can skimp on safeguards in the race to market. As a result, their products could contain software vulnerabilities and/or allow insecure passwords. They might record data and send it covertly to third-party, or they could require parents input other sensitive details but then store them insecurely.

When toys go bad

There have been several examples in the past of this happening. Some of the most notorious are:

• The Fisher Price Smart Toy Bear was designed for children aged 3-8 as “an interactive learning friend that talks, listens, and ‘remembers’ what your child says and even responds when spoken to.” However, a flaw in the connected smartphone app could have enabled hackers to gain unauthorized access to user data.
• CloudPets allowed parents and their kids to share audio messages via a cuddly toy. However, the back-end database used to store passwords, email addresses and the messages themselves was stored insecurely in the cloud. It was left publicly exposed online without any password to protect it.
• My Friend Cayla is a child’s doll fitted with smart technology, enabling children to ask it questions and receive answers back, via an internet lookup. However, researchers discovered a security flaw which could allow hackers to spy on children and their parents via the doll. It led the German telecoms watchdog to urge parents to bin the device over privacy concerns. Much the same happened with a smartwatch called Safe-KID-One in 2019.

In Christmas 2019, security consultancy NCC Group ran a study of seven smart toys and found 20 noteworthy problems – including two that were deemed “high risk” and three that were medium risk. It found these common issues:

• No encryption on account creation and log-in process, exposing usernames and passwords.
• Weak password policies, meaning users could choose easy-to-guess login credentials.
• Vague privacy policies, often non-compliant with the US Children’s Online Privacy Protection Rule (COPPA). Others broke the UK’s Privacy and Electronic Communications Regulations (PECR) by passively collecting web cookies and other tracking info .
• Device pairing (i.e., with another toy or app) was often done vie Bluetooth with no authentication required. This could enable anyone within range to connect with the toy to:
• Stream offensive or upsetting content
• Send manipulative messages to the child
• In some cases (i.e., kids’ walkie talkies) a stranger would only need to buy another device from a store to be able to communicate with children in the area with the same toy.
• Attackers could theoretically hijack a smart toy with audio capabilities to hack smart homes, by sending audio commands to a voice-activated system (i.e., “Alexa, open the front door”).

How to mitigate the privacy and security risks of smart toys

With smart toys representing a certain degree of security and privacy risks, consider the following best practice advice to counter the threats:

• Do your research before buying: Check if there’s been negative publicity or research done on the model’s security and privacy credentials.
• Secure your router. This device is central to your home network and talks to all of your home’s internet-connected devices.
• Power down devices: When not in use, power the device down to minimize risks.
• Familiarize yourself with the toy: At the same time, ensure that any smaller children are under supervision.
• Check for updates: If the toy can receive them, ensure it’s running the latest firmware version.
• Choose secure connectivity: Ensure that devices use authentication when pairing via Bluetooth and use encrypted communications with the home router.
• Understand where any data is stored: And what reputation the company has for security.
• Use strong and unique passwords when creating accounts.
• Minimize how much data you share: This will reduce your risk exposure if the data is stolen and/or the company is breached.

Smart toys can indeed be educational and entertaining. By ensuring first that your data and kids are safe, you’ll be able to sit back and enjoy the fun.