FBI Issues Legitimate Warning to Parents About Smart Toys

The FBI released a public service announcement earlier this week advising parents to strongly consider cyber security prior to purchasing internet-connected toys for their children.

Children’s toys aren’t usually seen as posing major security risks due to their disarmingly cuddly and bright exteriors. However, the FBI notice warns that manufacturers have been increasingly incorporating sophisticated technologies into toys in order make them more interactive and adaptive to users: “These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities – including speech recognition and GPS options.”

While this is not necessarily a bad thing and may very well make for a rich and entertaining experience for kids during playtime, these features could also jeopardize their privacy and security “due to the large amount of personal information that may be unwittingly disclosed.”

High-tech toys have capabilities that allow them to collect vast amounts of user data; they can record conversations within earshot, snap and store photos, and log data on users’ daily routines and whereabouts via GPS, among other things. Users also typically give personal information (e.g. dates of birth, passwords, and home addresses) when creating online personal accounts for their toys. This trove of data is typically stored by manufacturers on a third-party server or on the cloud, rendering it vulnerable to inadvertent exposure or hacking, which in turn could lead to identity fraud.

Unfortunately, such concerns are not far-fetched in a world where everything from presidential campaigns to hospitals are being hacked. To make matters worse, the FBI writes that adequate “security safeguards for these toys can be overlooked in the rush to market them and to make them easy to use.” 

In late 2015, Hong Kong toymaker VTech came under fire for shoddy security measures when its tablets were hacked, exposing the personal data of more than 11 million adults and children. Earlier this year in March, US toymaker CloudPets exposed 820,000 accounts along with hundreds of thousands of voice recordings and pictures of users due to a major security flaw that left the data stored on a server without password protection. Such concerns prompted Germany to take the extraordinary measure of banning sales of a smart doll in the country earlier this year.  

To ensure that this doesn’t happen, the FBI implores parents to do their due diligence before buying smart toys: “Consumers should examine toy company user agreement disclosures and privacy practices, and should know where their family’s personal data is sent and stored, including if it’s sent to third-party services.”

In addition, parents should perform online research of the toy’s security measures and check for any known security flaws. After purchase, parents should closely monitor their child’s activities with the devices, download accompanying parent’s apps if possible, and make sure that the toys are only turned on during use.

Other common sense tech precautions apply here. Parents should adopt strong passwords, only connect to trusted and secured Wi-Fi networks, and always download the latest updates and security patches released by the manufacturer.