The Dangers of Internet Connected Toys

Smart toys are pretty cool but they also come with some inherent cybersecurity vulnerabilities that could lead to your or your child’s sensitive information being exposed or even worse, a hacker interacting with your child. Internet connected (IoT or smart) toys like CloudPets, Hello Barbie, and Cayla have recently hit the news for all the wrong reasons; they’ve been hacked.

An unsecured MongoDB led to the exposure of voice recordings, pictures, and account information for the CloudPets line of IoT stuffed animals. Over 2.2 million recordings were accessible and due to poor password security requirements, over 800,000 accounts reportedly were vulnerable to being hacked. So far, following the disclosure of the vulnerabilities by a cybersecurity researcher, the maker Spiral Toys has downplayed the severity of the incident but reportedly as of 2/28/17 has filed a breach notification with the California Attorney General.

In mid-February, Germany banned a doll called “My Friend Cayla” and urged parents to destroy the doll due to hacking concerns. The connected doll was classified as an “illegal spying device” as interactions with the doll were recorded and transmits the information to a voice recognition company. It is believed that the Bluetooth connection on the dolls were insecurely implemented which could lead to hackers being able to interact with children.

These are just two of the recent examples but they are not at all isolated. The Hello Barbie doll allegedly could have been turned into a surveillance device due to security vulnerabilities. A Fisher Price stuffed animal teddy bear also was found to be vulnerable to leaking sensitive information. And what parent could forget about the 2015 VTech data breach that exposed the data of 5 million parents and children?

And it not just smart toys that are being hacked and affecting children. There have been numerous stories of parents being woken in the middle of the night by strange voicestalking to their children or even strangers watching them through hacked baby monitors. The stories of hacked baby monitors are not new but what is worrisome is that many parents still do not take basic precautions like researching if the systems are vulnerable to hacking before purchase or even failing to change the username/password.

So enough with the doom and gloom, what can parents do to allow their children to still have the latest and coolest toys without sacrificing security? It is important that parents do not ignore the dangers of internet connected toys simply because they are toys. IoT devices are continually being hacked to attack (5000 IoT devices attack university) or collect information on their owners (spy agencies plan to use IoT vulnerabilities to spy).

Here are a few things that parents can do to help secure their family and smart toys against hackers:

  • Immediately change the username and password of the device, if possible.
  • Review what personal information you share about your family. The less the better. Share only what is required.
  • Use privacy settings to adjust who has access to data.
  • Turn off location tracking or restrict as much as possible
  • See if there is a way to disable two-way communication
  • Tell your children to inform you of any unusual interactions with their toys. Talk to your children about sharing personal information, even with their toys.
  • Use strong passwords. Don’t trade ease of use for security.