For last-minute shoppers, tech toys hold a special appeal. They’re crowdpleasers, and generally available with two-day shipping—or faster—from any number of online retailers. Stapling on internet connectivity also might make these flashy kids gadgets sound all the more appealing; it’s not just a teddy bear, it’s a machine learning teddy bear. On the other hand: don't. This is not a screed against technology generally, or even tech as it relates to kids; there are plenty of responsible, safe ways for children to navigate and benefit from the internet. Instead, it’s an important reminder that toys with an online connection are at their core just another IoT device, often replete with the same ills and vulnerabilities. Plus, they have the added horror of occasionally pointing a microphone or camera at your child.
“Generally, people may not make that leap" that an internet toy is just another part of the IoT landscape, says Tod Beardsley, research director at security firm Rapid7. But hackers who target poorly secured internet-connected devices don’t distinguish between, say, a generic webcam and a Wi-Fi action figure. “A lot of the infrastructure looks like regular old Linux or Android. An attacker doesn’t care; inside it’s just a computer,” Beardsley says.
That makes internet-connected toys prime candidates to join a so-called botnet, an army of zombie machines used by hackers to launch denial-of service-attacks against websites, servers, or other pieces of internet infrastructure. Remember that afternoon last fall when the internet shut down for the better part of an afternoon across the US? A botnet made that possible.
“These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities—including speech recognition and GPS options,” the agency wrote. “These features could put the privacy and safety of children at risk.”
That's not just hypothetical alarmism. When Mattel rolled out its talking, Wi-Fi enabled Hello Barbie doll in 2015, the product proved easily hackable; an attacker could have stolen anything from passwords to actual snippets of conversation before the toy giant rolled out fixes. More recently, the Norwegian Consumer Council found that it was trivial to track kid-focused smartwatches from multiple companies, and even use them to communicate with children who wear them.
'Maybe Santa gets to know who’s been naughty and who’s been nice. But not toy companies.'
MARC ROTENBERG, EPIC
The list goes on, including real-world consequences. In March, a line of IoT teddy bears called CloudPets left two million messages recorded by the fluffy buddies exposed in an online database, where anyone could have listened to them—not to mention sifted through 800,000 emails and passwords that were exposed as well. The list goes on, but you get the point.
Not every internet-connected toy is insecure, just like not every home webcam falls prey to hackers. But the IoT industry in general has a long way to go in terms of overall security, and toys as a subcategory are no exception. Besides, hackers aren’t even your biggest concern—more often than not, the companies themselves are.
Last year, several advocacy groups jointly filed a complaint with the Federal Trade Commission against two specific products made by Genesis Toys, My Friend Cayla and i-Que Intelligence Robot, alleging that they “unfairly and deceptively collect, use, and share audio files of children's voices without providing adequate notice or obtaining verified parental consent.” The toys have already been banned in Germany, and stripped from the shelves of Target and Toys R Us. (You can still find them on Amazon, albeit in limited quantity as of this post.) Genesis Toys did not respond to a request for comment.
“Companies that are selling internet-connected toys are not just profiting from selling the device,” says David Monahan, campaign manager for Campaign for a Commercial-Free Childhood, a group dedicated to ending child-targeted marketing. “They’re profiting by collecting and monetizing a lot of sensitive information from kids.”
While the Children’s Online Privacy Protection Rule, known as “COPPA,” puts limits on that sort of data-harvesting, it mostly ensures that parents have to give consent before data collection happens. In the frenzy of setting up a Christmas gift, it’s easy to tap ‘yes’ without realizing exactly what it is you’ve agreed to.
"Internet connected toys are a privacy nightmare," says Marc Rotenberg, president of the nonprofit Electronic Privacy Information Center. "Maybe Santa gets to know who’s been naughty and who’s been nice. But not toy companies."
Make It Work
If you are going to give an internet-connected device—or already bought one and can’t find the receipt to return it—the most important thing you can do is to understand exactly how it works, what it collects, and what it does with that information.
That diligence extends to securing the device, as well. “Internet toys tend to be replete with default user names and passwords,” says Beardsley, which makes hacking them, well, child’s play. Take the time to customize the device setup, creating a unique password, and also figure out if and how the manufacturer pushes software updates, which often contain critical security patches.
DAVID MONAHAN, CCFC
Be aware, too, of how these toys function. “Anything that has an input sensor, like a camera or a microphone, has to be on in order to work as advertised,” says Beardsley. In the same way that an Amazon Echo or Google Home listens constantly—but only sends data back to a server after hearing a ‘wake word’—a toy that uses a camera to detect colors, say, is likely always watching. And it may not be clear under what circumstances it communicates what it sees and hears over the internet, or what it stores.
In fact, that Echo comparison proves apt for other reasons. Those devices raise privacy hackles as well, but least when you interact with Alexa or Google Assistant, you understand the risks. “As adults, we make decisions around making transactions online, we know what kind of information we’re putting out there that might be vulnerable,” says Monahan. “Kids don’t really understand that. They can’t make a conscious choice about sharing that information.”
Those potential issues even led Mattel to cancel a highly touted upcoming product. Its Aristotle AI assistant was designed as a sort of Echo for the stroller set, until the company nixed it in October over privacy concerns.
And at that point, what more do you need? When even the toy companies are having second thoughts, it's well past time to pull the plug on connected gifts.