Think twice before buying a smart toy for your child

For a while now, security researchers have been warning about the security and privacy dangers of many popular “smart” toys.

While consumer protection organizations are clamouring for action from data protection authorities and the likes of the US Federal Trade Commission, the FBI has focused on educating consumers about the potential dangers of such toys.

“Security safeguards for these toys can be overlooked in the rush to market them and to make them easy to use,” the Bureau noted in a public service announcement.

The FBI explained that data collected from interactions or conversations between children and toys are typically sent and stored by the manufacturer or developer via server or cloud service.

“In some cases, it is also collected by third-party companies who manage the voice recognition software used in the toys,” they noted. “Voice recordings, toy Web application (parent app) passwords, home addresses, Wi-Fi information, or sensitive personal data could be exposed if the security of the data is not sufficiently protected with the proper use of digital certificates and encryption when it is being transmitted or stored.”

Advice for users to minimize the dangers

Before even thinking about buying and using them, consumers should:

• Do an online search for the product’s known security issues
• Examine toy company user agreement disclosures and privacy practices (from company and any third parties)
• Enquire where the personal data collected by these toys is sent and stored
• Research the toy’s Internet and device connection security measures (secure app-toy pairing, traffic encryption)
• Check whether the toys can and do receive firmware and/or software updates and security patches

If they do decide to use the toy, they should:

• Use strong and unique login passwords when creating user accounts, and provide the minimal amount of information required to create the account
• Monitor children’s activity with the toys through the toy’s partner parent application (if it’s possible)
• Ensure the toy is turned off when not in use (particularly those with microphones and cameras).

“Personal information (e.g., name, date of birth, pictures, address) is typically provided when creating user accounts. In addition, companies collect large amounts of additional data, such as voice messages, conversation recordings, past and real-time physical locations, Internet use history, and Internet addresses/IPs,” the agency explained.

“The exposure of such information could create opportunities for child identity fraud. Additionally, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks.”