The acronym IoT has a new meaning — “Internet of Toys”— and just like the old abbreviation, for Internet of Things, this one comes with urgent cybersecurity warnings. The FBI is cautioning that Internet-connected toys, also known as “smart toys,” can be compromised by hackers. The FBI’s Internet Crime Complaint Center goes into extraordinary detail in its release, saying strangers can pinpoint your address, snag children’s names and birth dates, download your son or daughter’s photo and even listen in on your conversations and record your child’s voice.
This is not just a heads up about potential child identity theft. The FBI has more serious concerns: “The potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks,” the release states. “The FBI encourages consumers to consider cyber security prior to introducing smart, interactive, internet-connected toys into their homes . . .”
So what types of toys should parents scrutinize? Here are several risk factors provided by the FBI and SecurityIntelligence.com. Be cautious if the toy:
• connects directly to the Internet via WiFi.
• connects via Bluetooth to a device which is, in turn, connected to the Internet .
• contains speakers.
• contains microphones.
• contains a recording device.
• contains cameras.
• contains wireless transmitters and receivers.
• has speech recognition capability.
• has GPS capability.
• connects to a mobile app.
• requests name, address, date of birth or other personal information when you register.
• stores your data internally.
• sends your data to the manufacturer and/or partners.
• has cloud connection capability.
• remains connected to the cloud even when it’s off.
• does not come with an End User License Agreement or EULA.
• The cloud storage provider is not identified in the EULA.
The concern is more than theoretical. Several specific toys have already come under fire.
In February, Germany banned an Internet-connected doll called “My Friend Cayla” and advised parents who already own one to destroy it. Cayla, made by Genesis toys, contains an internal microphone that criminals could use to listen in on children — but that’s not all. The Norwegian Consumer Council says strangers could also speak to children through Cayla and demonstrated how it could be done in a well-produced You Tube video.
Another controversy, also in February, involved “Cloud Pets,” which are Internet-connected stuffed animals that allow parents and children to leave voice messages for each other. A security researcher discovered a couple million of those voice recordings in a poorly secured Internet database. And because manufacturer Spiral Toys did not require complex passwords, it was feasible for hackers to access the recordings. Spiral Toys chief executive Mark Meyers told NetworkWorld, “We looked at it and thought it was a very minimal issue.”
Earlier, V-Tech acknowledged that close to 5 million of its customers’ “Learning Lodge,” “Kid Connect” and other accounts were hacked. Those accounts allowed children to download games or communicate with their parents on V-Tech devices. A hacker was able to access children’s photos, names, dates of birth, addresses and chat histories. The Motherboard website shared portions of hacked family photos and a child’s recording to demonstrate that the threat was real.
How available are Internet-connected toys? A quick Internet search revealed smart toy technology housed in dolls, stuffed animals, dinosaurs, unicorns, teddy bears, stationary bicycles, wrist bands, children’s tablets — and more. That’s why, in June, the Federal Trade Commission updated its guidance about COPPA, the Children’s Online Privacy Protection Act, to include Internet-connected toys. Under COPPA, among other things, companies are supposed to ask parental permission before collecting personal information about children under age 13. Staffers in the office of Sen. Edward J. Markey (D-Mass.) says he is planning to reintroduce a bill that would expand COPPA.
Meanwhile, the FBI suggests parents take several steps to protect their children from the potential dangers of Internet-connected toys:
1. Look for Internet-connected toys that are certified by an FTC-approved group that has verified they protect children’s privacy.
2. Before buying a smart toy, do an online search to see if there have been negative reports or reviews.
3. Read the company’s user agreement and privacy practices and make sure you are okay with them.
4. Pay particular attention to where your data is stored or sent, including third party services — and research their reputation.
5. Connect toys only to a secure WiFi access point.
6. If the toy uses Bluetooth, make sure it requires PINs or passwords when pairing with Internet-connected devices.
7. Make sure the toy uses encryption when transmitting data to the WiFi access point, the server or the cloud.
8. See if the toy can receive software updates and security patches and, if so, keep it updated to the most recent version.
9. Find out if the company will notify you if it suffers a data breach, discovers vulnerabilities in its toy or changes its disclosures.
10. Provide as little personal information as possible when setting up user accounts for the toy.
11. Choose strong, unique passwords when creating your account.
12. Pay attention to what your children are doing with the toy, either by monitoring them in person or using the parent portal, if there is one.
13. Turn the toy off when your children are not using it, especially if it contains cameras and/or microphones.
14. If you believe your child’s toy has been compromised, file a complaint with the FBI’s Internet Crime Complaint Center .
Or, if all this vigilance sounds overwhelming, you could always send your kids outside to play.
More from The Washington Post: