Safeguard your kids’ toys against hackers
Technology is having a huge impact on the toy industry. Today, many toys include some technology-enabled interactive element, from video displays to web-based connections that facilitate communities and other features. These new bells and whistles may excite children—and help toy retailers appeal to an increasingly tech-savvy generation—but they often come with many new IT security risks. Concerns include hacking, surveillance, and data privacy. In the wrong hands, toys can be used to stalk children and commit identity theft.
Toys that connect to the internet, either via wireless network or cables to a PC/laptop are effectively part of the Internet of Things. Any such device can be hacked remotely from anywhere in the world, exposing children to surveillance and manipulation. For example,
- Researchers found vulnerabilities in several smart watches designed for children that allow hackers to track the wearer’s location, or eavesdrop on conversations. Norway’s Consumer Council recently conducted a review and found flaws in several models, including the Xplora, Viksfjord, and Gator 2.
- CloudPets, connected fuzzy pets that interact with children, allowed Bluetooth connection without authentication, making it possible for anyone to hack the toy. Worse yet, the maker, Spiral Toys, misconfigured its database, exposing two million voice recordings of kids and their families.
- My Friend Cayla doll by Genesis was shown to have security weakness that let others with a smart-phone hijack the doll. In February 2017, the German Federal Network Agency declared the dolls to be concealed espionage devices violating the German Telecommunications Act and directed parents to “destroy” any Cayla dolls in their possession.
- Even the most popular interactive toys from major toy companies, like Hasbro’s Furby Connect, have been shown to exhibit security weaknesses.
In the end, any internet enabled toy with microphones, cameras, and GPS could allow hackers to listen, watch, and locate a child.
Here are 10 things parents can do to help ensure that these toys aren’t leaving them vulnerable to security flaws:
- Power toys down when not in use to be sure they are not being used for eavesdropping.
- Never allow young children to peruse the internet unsupervised.
- Scrutinize any web-based applications that collect sensitive child information, like addresses, birthdates, or family names. Share as little information as possible – there is little consumer benefit to sharing even the simplest information and you never know where it could end up.
- Parents should maintain passwords and user names for toys, games, websites or social media used by children and routinely check them. Be sure passwords are enabled and strong (including numbers and symbols makes them much stronger).
- Do your research. Google the toy’s name to search for known security risks. Check FBI alerts. Research the toy to see it can receive firmware and software updates. Investigate where any information entered into the toy is stored – locally or in the cloud.
- Bluetooth-enabled toys have limited range – typically 30-300 feet depending on the implementation. That makes them safer to play with at home than in public places like airports, schools, or malls.
- Only connect toys to secure and trusted WiFi networks.
- Consider home network protection. Vendors like Bitdefender and F-Secure SENSE offer security protection tools for internet-enabled devices including toys that protect against malware, stolen passwords, spying, and other potential hazards.
- Toy makers typically have very limited technology budgets and sometimes are sloppy when it comes to security. However, any device can be hacked or reverse engineered with enough effort, so there are always risks.