Internet-connected devices and smart toys are pretty cool and the industry is expected to reach $70 billion by 2026; but they may come with cybersecurity vulnerabilities that could lead to your child’s information being exposed or even worse, a stranger hacking the device and interacting with your child. Internet connected (IoT or smart) toys like LeapFrog, CloudPets, Hello Barbie, and My Cayla have hit the news for all the wrong reasons; not because they were the hottest holiday toy of the year but they’ve been hacked.
Earlier this year, security vulnerabilities in the popular LeapFrog’s LeapPad tablets found that strangers could track a child’s location and send unsolicited messages on a chat app found on the tablets. And now it has been discovered that 600,000 GPS trackers sold under various names that are designed for children have a range of security vulnerabilities that could allow others to track children or transmit false data.
An unsecured MongoDB led to the exposure of voice recordings, pictures, and account information for the CloudPets line of IoT stuffed animals. Over 2.2 million recordings were accessible and due to poor password security requirements, over 800,000 accounts reportedly were vulnerable to being hacked. Following the disclosure of the vulnerabilities by a cybersecurity researcher, the maker Spiral Toys downplayed the severity of the incident but major retailers from Amazon to Walmart took the toys “off the shelf” in 2018 after the information reached the ears of Mozilla and the Electronic Frontier Foundation.
In 2017, Germany banned the smart doll named “My Friend Cayla” and urged parents to destroy the doll due to hacking concerns. The doll was classified as an “illegal spying device” as interactions with the doll were recorded and transmitted the information to a voice recognition company. In fact, when asked “Cayla, can I trust you”, the doll responded “I don’t know”.
Other incidents with smart toys include the Hello Barbie doll that allegedly could have been turned into a surveillance device due and a Fisher Price stuffed teddy bear that was found to be leaking sensitive information. And we cannot forget the 2015 VTech data breach that exposed the information of 5 million parents and children.
But it not just smart toys that are being hacked and affecting children and familes. There have been numerous stories of parents being woken in the middle of the night by strange voices talking to their children, strangers watching them, or even being threatened through compromised baby monitors. The stories of hacked baby monitors are not new but what is worrisome is that many parents still do not take basic precautions like researching if the systems are vulnerable to hacking before purchase or after purchasing many fail to change the username and password.
And when it comes to online data collection of information about minors, parents need to be aware that some sites and apps are collecting sensitive information about your children. The most recent example is that Google and YouTube has agreed to pay $170 million for collecting information about minors without permission and will further restrict advertising on the platform for videos that are likely to be viewed by users younger than 13-years-old. And the popular TikTok video app banned children from their platform in February 2019 after the FTC fined the company $5.7 million for failing to get consent from parents, collecting information about minors, and failing to delete minor’s data after parental requests.
So, what can parents do to allow their children to still have the latest internet-connected toys or use the internet/apps without sacrificing security? It is important that parents do not ignore the dangers of internet connected toys simply because they are toys and recognize that there may be dangers associated with the toys.
Here are a few things that parents can do to help secure their family and smart toys:
- Immediately change the username and password of the device, if possible.
- Review what personal information you share about your family. The less the better. Share only what is required.
- Use privacy settings to adjust who has access to data.
- Turn off location tracking or restrict as much as possible
- See if there is a way to disable two-way communication
- Use strong passwords. Don’t trade ease of use for security.
- Talk to your children about sharing personal information, even with their toys and have a conversation with your children about sharing personal information online. The rule is that you only should share the information that is needed, don’t share optional information.
- Tell your children to inform you of any unusual interactions with their toys where their toys may be rude, acting strange, using different voices, or asking for their personal information.