8 ways to help protect your kids’ privacy against smart toy vulnerabilities

The man slipped into the darkened room quietly, treading carefully so as not to wake the person sleeping on the bed. He paused as the figure stirred, then placed the cleverly disguised device in an unobtrusive spot on a corner shelf. Opening an app on his smartphone, he ensured the sensors, microphone and camera were working, then quickly retreated to the door, closing it gently behind him. Mission accomplished.

No, this isn’t a scene from the latest spy film. It’s a scenario that could be playing out in connected homes across the country as more and more parents use smart baby monitors to keep an eye on their little ones. No longer glorified speakers, baby monitors have evolved into sophisticated smart devices that allow concerned parents to make sure their children are safe and secure.

Ironically, connected baby monitors and other high-tech Internet of Things (IoT) devices made with children in mind could put your privacy and personal information in harm’s way. In July 2017, the Federal Bureau of Investigation (FBI) issued a public service announcement warning that Internet-connected toys could present privacy concerns for children.¹

How can smart toys put children at risk?

In addition to the more mainstream microphones and cameras, the newest generation of connected toys now offer high-tech features such as speech and facial recognition and GPS tracking.

These features alone may not put children in physical danger, but the information they collect — and how that data is stored or shared — could. For example, a smart doll that responds to questions might have a voice-recognition feature that also records their chats in order to make the doll “smarter” for future conversations. In this scenario, personally identifying and sensitive information could be collected, such as a child’s name, school or routines. If that information being recorded is not encrypted, or if the data is transmitted via Bluetooth or over an unsecured Wi-Fi connection, cybercriminals could potentially gain access to valuable information that could be used for identity theft. Or, if the toy company states in its privacy policy that it allows user data to be sold, a child’s identifying information could end up in the hands of third parties.

Since smart devices and toys have been largely unregulated, the U.S. government is stepping in to implement policies to help give parents more control over what information websites can collect about their children. The Children’s Online Privacy Protection Act (COPPA) set standards for online information collection about children under 13.² On June 21, 2017, the Federal Trade Commission (FTC) updated its guidance for COPPA-complying companies to include key protections about internet-connected toys and associated services such as mobile apps, GPS and VoIP.³

IoT security warnings from the young

In May 2017, an 11-year-old boy named Reuben Paul schooled a room full of security experts on how to hack Bluetooth-enabled devices to take control of an IoT teddy bear. As he explained, “Most internet-connected things have a Bluetooth functionality … I basically showed how I could connect to it, and send commands to it.”⁴

“From airplanes to automobiles, from smartphones to smart homes, anything or any toy can be part of the Internet of Things. … From terminators to teddy bears, anything or any toy can be weaponized,” said the Texas sixth-grader.⁴

8 ways to help protect your kids' privacy against sketchy smart toys

Aside from protecting your connected home — including vulnerable smart toys — with a secure Wi-Fi router, here are a few tips that could give your smart toy story a happier ending.

1. Secure your Wi-Fi network with a unique and complex password (not the one that came with the device) and turn off device features that automatically connect to Wi-Fi or Bluetooth. Your smart toys could be less vulnerable to hackers if they aren’t constantly connected to the Internet, so remember to disconnect them or turn them off when they’re not in use.
2. Before buying a smart device for your child, be sure to research it for negative news stories or consumer reviews. You might also check child advocacy websites, like Common Sense, for more information.
3. Sometimes in the rush for manufacturers to get their new products to market, they may overlook security features. Determine what in-place security measures come with the toy. What kind of data is captured, such as voice recordings or facial recognition. Is that data encrypted or does the toy require authentication like a PIN or password when pairing with Bluetooth or Wi-Fi?
4. Read the privacy policy to find out what types of information will be collected and how they will be used. The privacy policy should also contain a section about security, which explains how that data will be secured.
5. Know if the toy stores data internally or uses the cloud. There are benefits to having collected data stored on the device, such as not having to worry about the security of external servers. If data is transmitted, it should be encrypted.
6. Find out if the toy’s firmware or software will be updated automatically or if you will need to be vigilant about updating these yourself when they are made available by the manufacturer. If the latter, always be sure to install patches or updates as soon as possible. Doing so could protect the device from known vulnerabilities.
7. Many connected toys have apps or online portals where you can set up a user account to log in. Be sure to use a complex password and fill in personal account details with caution. Think twice about providing your child’s full name and date of birth, which could potentially mark him or her for identity theft if that data is stolen or breached. Consider entering an alias or nickname for your child instead.
8. Monitor your children’s interactions with any connected toys or devices, and have frequent conversations with them about how to use the smart toys safely.

¹ FBI, “Consumer notice: Internet-connected toys could present privacy and contact concerns for children,” July 17, 2017.
² FTC, Children’s Online Privacy Protection Act.
³ FTC, “Children’s online privacy protection rule: A six-step compliance plan for your business,” June 2017.
⁴ Mashable.com, “11-year-old casually hacks into security experts’ Bluetooth to control teddy bear,” May 17, 2017.