FBI warns: Internet-connected toys might violate kid's privacy

Internet-connected toys can be hacked; thus, children’s privacy might be at risk

Nowadays children can be spoiled by toys that can not only move or talk, but provide a personalized experience. Modern Internet-connected (IoT) toys might include speech recognition function and allow searching the web. Nevertheless, these toys are exciting even for adults; they might put kid’s privacy at risk.

This Monday, Federal Bureau of Investigation (FBI) released a note that IoT toys might lead to the violation of children privacy.^[1] These toys have cameras, microphones and other features that allow collecting and storing a bunch of various information about kids and their parents. Different toys gather various types of information. However, most likely this data includes:^[2]

• full name;
• gender;
• date of birth;
• voice;
• oral and text messages;
• photographies;
• location;
• IP address;
• phone number;
• login details;
• credit card information;
• Wi-Fi passwords.

The privacy concerns are related to data storage. Companies might store aggregated data and use it for various purposes. However, FBI stressed worse possible threat – these toys can be hacked. As a result, attackers might use sensitive data to harm kids or their parents.

Parents should think about cyber security first before giving their children Internet-connected toys

In 2015, security experts warned about possible security issues caused by “Hello Barbie” doll. The doll had a microphone which allowed not only communicating with a kid but collect and store various information too. This toy was suspected to be collecting sensitive information in order to develop artificial-intelligence toys. Thus, information about a kid might be shared with numerous companies. ^[3]

Another American doll has been banned in Germany this year. Authorities claimed that “My Friend Cayla”^[4] is a digital spyware that collects information about both kids and their parents. The doll was banned from stores. Meanwhile, parents were advised to destroy it.

This year we have also received the news about CloudPets data leak. This fluffy toy allowed recording messages and transferring them via a fluffy toy. However, more than half a million users' data, such as email addresses, passwords, profile pictures and voice recordings were leaked.^[5]

Tips to protect your kid's privacy

We have provided only a few examples of security issues of the Internet-connected toys. However, these cases should encourage parents to be more careful with these toys and make sure that they let children play with safe dolls or fluffy toys. In order to avoid cyber crimes, robbery or privacy-issues you should follow these tips:

• Connect toys to trusted and secured Wi-Fi.
• Use encryption for data transmission from the toy to Wi-Fi access point.
• Set PIN code or password when pairing your device with Bluetooth.
• Make sure that your IoT toys don't have any security patches. If it's available, install all updates regularly.
• Carefully read the Privacy Policy and other documents to learn about data collection and storage. What is more, you should do your own research about the company with a focus on changes to these documents.
• Make sure that the toy (especially microphones and cameras) is turned off when not in use.
• Use strong passwords when creating user accounts.
• Provide as less information as possible when creating users accounts.
• Monitor your kid’s activity when using the toy.