Photo Credit: iStock/nd3000
If so-called “smart toys” are on the holiday wish list of the children in your life, know this: The FBI warns that such interactive, Internet-connected gifts could be compromised by cyber hackers – and advises that security precautions be taken before playtime begins.
Although the agency doesn’t identity specific risky products, “these toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities – including speech recognition and GPS options,” notes the FBI. “These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.” They include dolls, stuffed animals, card packs, wrist bands and other playthings typically connected to the Internet, either directly through Wi-Fi or indirectly via Bluetooth to a smartphone (which, in turn, is connected to the Internet).
Among the concerns: Many smart toys, often intended to promote learning, have microphones that “could record and collect conversations within earshot of the device,” says the agency – including ID theft-worthy details such as the child’s name, address and birthdate. (Meanwhile, such details may be provided or required when creating user accounts.)
“In addition, companies collect large amounts of additional data, such as voice messages, conversation recordings, past and real-time physical locations, Internet use history, and Internet addresses/IPs,” says the agency. “The exposure of such information could create opportunities for child identity fraud. Additionally, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks.”
Some smart toys have already come under fire. Earlier this year, an Internet-connected doll called “My Friend Carla,” with an internal microphone, was banned in Germany. Meanwhile, an Australian security researcher reports that more than 2 million voice recordings were exposed via “Cloud Pets,” stuffed animals that allow parents and children to exchange voice messages. And last December, smart toy manufacturer V-Tech acknowledged that close to 5 million customer accounts were hacked via smart toys “Learning Lodge” and “Kid Connect,” allowing hackers to access children’s names, addresses, birthdates, chat histories and photos.
In addition to microphones, recording devices, cameras and GPS capability, other risks in Internet-connected smart toys include features such as speech recognition technology, speakers, and/or wireless transmitters and receivers. Also be mindful (and cautious) with products that request names, addresses, and other personal information when you register; have cloud connection capability (and remain connected to the cloud when the toy is turned off); and/or don’t include an End User License Agreement or identify its cloud storage provider.
As with other risk-posing “smart” devices in your home, here’s how to be smart with these high-tech toys:
- Before buying, research the product for any reported security issues. Also look for certification or verification by members of the COPPA Safe Harbor Program (for Children’s Online Privacy Protection Act), an FTC-affiliated group.
- Read the company’s privacy policy and user agreement. Find out where user data is stored (with the company, third party services or both), and research their reputations, especially in regards to cyber security.
- Determine how (or if) you would be notified about a possible data breach or if vulnerabilities in the toy are discovered.
- Only connect and use the toy on a trusted and secure internet access – not on public Wi-Fi.
- Use a strong and unique PIN or password when connecting to a Bluetooth device. If the product comes with default password, change it.
- Use encryption when transmitting data from the toy.
- If the toy can receive software updates and security patches, ensure it is using the most updated version.
- Make sure the toy is turned off when not in use, especially if the toys use microphones and cameras.
- Be stingy with personal information when setting up user accounts. A teddy bear really doesn’t need to know your child’s last name, address or birthdate. Also teach young’uns to not “overshare” personal details when playing with or near the toy.
- Turn the toy off when your children are not using it, especially if it has a camera and/or microphone.
For information about other scams, sign up for the Fraud Watch Network. You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud, and keep tabs of scams and law enforcement alerts in your area at our Scam-Tracking Map.
