So you want to buy your child an Internet-connected toy? You may want to rethink that idea. You may not even think about the danger you could be putting your child in but FBI warns that hacking a child’s toy is very possible.

FBI warns parents that Internet-Connected toys

Toys that connect to the Internet are becoming more and more common but many parents fail to consider that those toys could be used to spy on kids, possibly jeopardizing their safety. In a report released on the 17th (can be accessed here), FBI’s Internet Crime Complaint Center (IC3) urges parents to consider cyber security prior to buying children IoT (Internet of Things) toys.

How exactly does an IoT toy endanger your child?

Internet-connected toys are vulnerable to hacks, as is any device using the Internet. Due to the sensitive matter of it involving kids, toy developers should make device security a priority. Unfortunately, many companies producing such toys fail to ensure that their products are as secure as they can be due to the rush of releasing as many toys as possible. Those toys come with microphones, cameras, GPS, data storage options and if the toy is exploited, all the personal information gathered by the toy could be exposed to malicious parties. That includes names, locations, hobbies, etc.

In order to use the toy to its full potential, you need to create an account, where you provide all kinds of information, such as name, date of birth and address. And once you start using the toy, additional information is constantly gathered. So if the toy has a microphone, it would record voices and conversations within earshot. Location data would also be collected if GPS is integrated. The toy connect to the Internet, which makes it susceptible to hacking. Over time, the toy gathers all kinds of data about your child. Now imagine what the wrong people could do with that information. The misuse of that data could lead to not only identify fraud but it could also present exploitation risks, IC3 explains in their report.

How could a potential hacker get access to private information?

IoT toys connect to the Internet in order to transfer the data collected to the developers. It is then stored in a server or cloud services. And not only the toy manufacturer has access to it. Companies that manage certain services provided by the toy, such as voice recognition, will not only have access to that data but will also collect their own. If the parties that handle those services do not take sufficient measures to protect your data during transfer and storage, those vulnerabilities could easily be taken advantage of and your data could be stolen.

Hacking has already happened

So far, it sounds like a far-fetched outcome, right? Unfortunately, hacks of Internet-connected toys have already happened. Perhaps one of the more known hacks happened back in 2015, when someone hacked electronic learning product supplier’s, VTech, servers and gained access to data of millions of people, including children. The alleged hacker revealed that he or she was able to gather information, such as conversations and even head-shots, from Kid Connect service, which parents and children use to have conversations via smartphone app or VTech tablet. In addition, the data breach exposed personal information of million users, both adult and children. According to a security researcher, Troy Hunt, the company failed to secure the data while it was being transferred from the used devices to VTech servers. He further added that the information was in plaintext and was not encrypted. The hacker him/herself was appalled about the lack of security and did not expose or sell the data collected.

So what can you do?

FBI has provided the following ways to make sure your child is not put in danger.

  • Research for any known reported security issues online to include, but not limited to:
  • Only connect and use toys in environments with trusted and secured Wi-Fi Internet access
  • Research the toy’s Internet and device connection security measures
    • Use authentication when pairing the device with Bluetooth (via PIN code or password)
    • Use encryption when transmitting data from the toy to the Wi-Fi access point and to the server or cloud
  • Research if your toys can receive firmware and/or software updates and security patches
    • If they can, ensure your toys are running on the most updated versions and any available patches are implemented
  • Research where user data is stored – with the company, third party services, or both – and whether any publicly available reporting exists on their reputation and posture for cyber security
  • Carefully read disclosures and privacy policies (from company and any third parties) and consider the following:
    • If the company is victimized by a cyber-attack and your data may have been exposed, will the company notify you?
    • If vulnerabilities to the toy are discovered, will the company notify you?
    • Where is your data being stored?
    • Who has access to your data?
    • If changes are made to the disclosure and privacy policies, will the company notify you?
    • Is the company contact information openly available in case you have questions or concerns?
  • Closely monitor children’s activity with the toys (such as conversations and voice recordings) through the toy’s partner parent application, if such features are available
  • Ensure the toy is turned off, particularly those with microphones and cameras, when not in use
  • Use strong and unique login passwords when creating user accounts (e.g., lower and upper case letters, numbers, and special characters)
  • Provide only what is minimally required when inputting information for user accounts (e.g., some services offer additional features if birthdays or information on a child’s preferences are provided)


Leave a Reply