The dangers of internet connected devices for children

Internet-connected devices and smart toys are pretty cool andthe industry is expected to reach $70 billion by 2026;  but they may come with cybersecurityvulnerabilities that could lead to your child’s information being exposed oreven worse, a stranger hacking the device and interacting with your child.Internet connected (IoT or smart) toys like LeapFrog, CloudPets, Hello Barbie,and My Cayla have hit the news for all the wrong reasons; not because they werethe hottest holiday toy of the year but they’ve been hacked.

Earlier this year, security vulnerabilities in the popular LeapFrog'sLeapPad tablets found that strangers could track a child’s location and send unsolicited messages on achat app found on the tablets. And now it has been discovered that 600,000 GPS trackers sold under various names that aredesigned for children have a range of security vulnerabilities that could allowothers to track children or transmit false data.

An unsecured MongoDB led to the exposure of voice recordings,pictures, and account information for the CloudPets line of IoT stuffedanimals. Over 2.2 million recordings were accessible and due to poor passwordsecurity requirements, over 800,000 accounts reportedly were vulnerable tobeing hacked. Following the disclosure of the vulnerabilities by acybersecurity researcher, the maker Spiral Toys downplayedthe severity of the incident but major retailers from Amazon to Walmarttook the toys “off the shelf” in 2018 after the information reached the ears ofMozilla and the Electronic Frontier Foundation.

In 2017, Germany banned the smart doll named “My FriendCayla” and urged parents to destroythe doll due to hacking concerns. The doll was classified as an “illegalspying device” as interactions with the doll were recorded and transmittedthe information to a voice recognition company. In fact, when asked “Cayla, can I trust you”, the doll responded “I don’t know”.

Other incidents with smart toys include the Hello Barbiedoll that allegedly could have been turned into a surveillance device due and aFisherPrice stuffed teddy bear that was found to be leaking sensitiveinformation. And we cannot forget the 2015 VTechdata breach that exposed the information of 5 million parents and children.

But it not just smart toys that are being hacked andaffecting children and familes. There have been numerous stories of parentsbeing woken in the middle of the night by strangevoices talking to their children, strangerswatching them, or even being threatened through compromised baby monitors. The storiesof hacked baby monitors are not new but what is worrisome is that many parentsstill do not take basic precautions like researching if the systems are vulnerableto hacking before purchase or after purchasing many fail to change theusername and password.

And when it comes to online data collection of informationabout minors, parents need to be aware that some sites and apps are collectingsensitive information about your children. The most recent example is thatGoogle and YouTube has agreed to pay $170 million for collecting information about minorswithout permission and will further restrict advertising on the platform forvideos that are likely to be viewed by users younger than 13-years-old. And thepopular TikTok video app banned children from their platform in February 2019after the FTC fined the company $5.7 million for failing to get consent fromparents, collecting information about minors, and failing to delete minor’sdata after parental requests.

So, what can parents do to allow their children to still havethe latest internet-connected toys or use the internet/apps without sacrificingsecurity? It is important that parents do not ignore the dangers of internetconnected toys simply because they are toys and recognize that there may bedangers associated with the toys.

Here are a few things that parents can do to help secure their family and smart toys:

• Immediately change the username and password of the device, if possible.
• Review what personal information you share about your family. The less the better. Share only what is required.
• Use privacy settings to adjust who has access to data.
• Turn off location tracking or restrict as much as possible
• See if there is a way to disable two-way communication
• Use strong passwords. Don’t trade ease of use for security.
• Talk to your children about sharing personal information, even with their toys and have a conversation with your children about sharing personal information online. The rule is that you only should share the information that is needed, don’t share optional information.
• Tell your children to inform you of any unusual interactions with their toys where their toys may be rude, acting strange, using different voices, or asking for their personal information.

Image by Nadine Doerlé from Pixabay