Smart Toys Are Spying on Your Kids

Controversy over the security of internet-connected toys has been bubbling away but you know it's time to pay attention when the FBI puts out a PSA about it. Read on to get the inside line on this serious issue.

Smart Toys Are Spying on Your Kids
Claire Broadley
By Claire Broadley

The FBI has made a renewed plea to parents about the potential dangers of internet-connected toys. In the same week, the FTC in the United States has also revised its guidelines for smart toy manufacturers.

It’s good to see both organizations taking children’s privacy seriously. But parents will continue to buy the toys, ignorant of their dangers.

Smart toys are great gadgets, but may not be as innocent as they may seem. Even if the manufacturer complies with FTC regulations, there are still numerous risks to children that are left unsupervised with any connected device.

The FBI’s Stance on Smart Toys

The FBI’s statement does a good job of summarizing the main problems with internet-connected toys.

The privacy risk that these toys create is increasing, because the tech they incorporate is ripe for hacking. The fact that they are constantly used by children is appealing to people who wouldn’t be your first choice to babysit.

The popularity of smart toys practically ensures that they’ll be stored in places where cameras could be used to snoop on their surroundings. The FBI also picks out toys with microphones are a particular risk, because the toy could pick up both intentional and unintentional audio recordings of family conversations.

Beyond the toy itself, there are usually apps and accounts tied to the parent’s’ email address Often, parents will use the child’s real name and photo, and there may be incentives for making the profile complete. A hack could expose information about entire families.

From hackable microphones and cameras to poorly-secured databases full of personal data, these toys’ vulnerabilities are significant.

Some devices have specialized functions that amplify the risk. Kids’ smart watches include GPS tracking that could be used to pinpoint the child’s location. Speech recognition and machine learning mean that children will likely develop a deeper bond with their toys, communicating with them frequently, and telling them personal details.

Toys that harvest internet histories, IP addresses, and payment details create a much broader risk of identity theft and fraud. When you consider that 50% of the victims of identity theft are under 6 years old, this is an obvious honeypot for hackers and fraudsters looking for an easy target.

Is the Panic Justified?

Most of us would be wary of buying any connected toy from an unknown manufacturer, particularly one that falls outside the remit of our own laws and regulations. Companies regulated by the FTC should — in theory — be rigorous in the way they use our data.

But even the best-known brands have raised alarm bells with they way they encourage children to interact with toys.

Take Mattel, for example. The multinational toy giant released Hello Barbie in 2015 to a storm of outrage from parents and privacy campaigners. The interactive doll records speech and sends it to the cloud to process custom responses. Harvesting children’s speech is a clear risk, particularly if the data is then processed by third parties. (The company behind Barbie’s speech is ToyTalk out of San Francisco, a legitimate cloud service provider.)

There’s no suggestion that Mattel or ToyTalk are putting privacy at risk directly. But there is something creepy about an unknown person listening on the other end. The same is true of devices of adults, like Alexa and Google Home, that collect recordings which can be replayed by the developers that code for them.

The scariest aspect of these toys is how easily they can be exploited. They are not designed with security in mind and software rarely updated.

Perhaps the scariest aspect of these toys is the ease they could be exploited. The fact that the software on them is unlikely to be regularly updated makes this more of a risk. There are genuinely terrifying risks here. In July 2017, a family from Washington discovered that a hacker was speaking to their 3-year-old son through the speaker on their Foscam IP camera. The boy had told his parents he was scared, but it was only when they walked into the room while the man was talking that they realised what was going on.

IP cameras are not toys, but do have parallels. They contain mics and speakers, and they are used around people’s homes.

And the recent hack is by no means the first example; similar incidents date back as far as 2013. Any internet-connected device could theoretically be used in the same way.

What the Law Says

In the United States, the Federal Trade Commission (FTC) has been quick to update its regulations beyond toys to the services that drive them.

Smart toys are expected to comply with the Children’s Online Privacy Protection Act, or COPPA. Earlier this week, the FTC added companion services to its existing guidelines, tightening rules for the apps that connect to the toys, and the GPS services that collect location data.

In theory, the FTC can bring an enforcement action against a toy manufacturer that is flouting privacy. But there are two key problems with this approach. It’s only going to happen if the manufacturer is under the FTC’s jurisdiction; global marketplaces and ecommerce websites mean that many toys will not be. And if a toy is hacked, the manufacturer would never even know anyway.

Keeping Smart Toys Safe

Smart toys are essentially small computers, so you should not allow your child to use them unsupervised.

Parents may assume that there are fewer risks with known-brand toys, rather than those bought from unknown or minor brands, particularly if the manufacturers are based outside the legal jurisdiction they are familiar with.

But any device that connects to the internet can be hacked in certain circumstances.

Here are some quick privacy and security tips, inspired by the FBI’s sensible guidelines for smart toy owners:

  • Buy toys from reputable stores. Stick to known brand manufacturers. Toys from online auction websites or foreign countries could present unknown privacy problems, and even carry malware right from day one.
  • Make sure the toy has clear instructions. They should be properly translated and complete.
  • Check the manufacturer’s privacy policy, and the privacy policy for any third party companies that have access to the data. If you can’t find the information you need on its website, steer clear.
  • Set up the account with minimal personal information. Avoid entering sensitive data that isn’t required for the toy to function.
  • Use a unique password for the online account, the app, and the toy itself if it requires one.
  • Avoid Bluetooth toys that don’t require a pin or passcode to connect to another device.
  • Consider disabling GPS functionality. It could theoretically be used to locate your child as they play.
  • All toys should be switched off when not in use. If they are being charged overnight, they should not be left in the child’s bedroom.
  • Apply software updates for the toys as soon as they are released by the manufacturer.
  • If your child reports unusual behavior from a toy, switch it off and contact the manufacturer for advice.

Public Wi-Fi

Regardless of the toy you buy, never connect it an unsecured network. That includes public Wi-Fi in hotels or restaurants, or any network with no password.

Data that flows through unsecured networks is intrinsically vulnerable to being monitored, collected, or altered, and there’s nothing you or the manufacturer can do to prevent it.

For the best security, only ever connect toys to networks that you control yourself. To boost privacy, choose a router that has a built-in VPN app so that all of your household’s data is encrypted.